Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Idemix and Higgins
Private certificate protocols:
- Issuance: An identity provider issuing a private certificate to a user.
- Prove: A user creating a proof for an assertion using one or more private certificates.
A private certificate, once obtained, can be used multiple times for creating proofs for assertions; all uses are unlinkable unless the assertion itself establishes linkability. A private certificate is never provided to a relying party, only proofs computed with it are provided.
For the architecture, idemix requires an STS plugin, preferably of a co-located STS, that can create idemix proofs for assertions. The creation of an idemix proof is an RST-RSTR pair. The RST contains the idemix private certificates, the assertion, involved public keys, and the user's private key as input. Thr RSTR contains the idemix proof token that is to be provided to the relying party.
Issuance and Prove Protocols
The following describes the abstract flow for obtaining and using idemix private certificates. Details to be provided.
The issuance results in the user obtaining a new idemix private certificate from the identity provider and an I-Card describing the certificate. The protocol is an interactive multi-round protocol between the two parties.
Providing an assertion backed with an idemix proof consists of the following steps:
- Once the user's client receives the assertion request from the relying party, the ISS matches the policy against the attribute values of the available private certificates and the associated metadata (I-Cards).
- The user is challenged with the possible ways of fulfilling the assertion request.
- The user makes a choice and provides this choice to the ISS.
- The ISS creates an appropriate RST message targeted to the co-located STS and sends it.
- The STS replies with an RSTR containing the idemix proof token.
- The idemix proof token is conveyed to the relying party by the browser.