In my very first blog post, I want to write a little about my master thesis research project.

As Tim Berners-Lee, the inventor of the world wide web, tells us that the internet is broken, we have to do something about it. More and more power goes to the big companies like Facebook and Google, and everyday they know and learn more about us. If you authenticate with your Facebook login to another website, Facebook can track when you visit that website and which pages you are visiting.

So wouldn’t it be nice if there is some more decentralized technology that can help us to take back control of our privacy in a more decentralized way?

Luckily, in recent years, IRMA has been developed, invented by the PrivacyByDesign foundation, which promotes itself as a digital passport on your mobil. The founder of the PbD foundation, Bart Jacobs, published recently the IRMA Manifest, in Dutch

With IRMA, you can download attributes of yourself (like name, birthday and address) on your phone which are digitially signed by an authorized party, e.g. the government or a bank. After downloading attributes, you can go to a service provider that utilizes IRMA and consequently, you can authenticate with your attributes. The next figure shows how the issuing and disclosure session work in a decentralized way (meaning that the issuer cannot know that you use its attributes).

IRMA sessions

One of the more common examples is that you proof to a liquor store that you are above 18 years old (which is derived from your birthdate issued by e.g. the government).

The underlying concept is called Attribute Based Credentials (ABC) allowing users to prove certain properties about themselves without revealing their full identity. IBM developed a specification, called Idemix, which contains a set of cryptograpihc protocols supporting privacy-preserving features such as anonymity and unlinkability. Within the IRMA project, parts of the Idemix protocols have been implemented in the so-called gabi library.

Recently, the world wide web consortium, W3C, establied a working group which devloped a specification, called “Verifiable Credentials”, consisting of a datamodel. The goal is to make it easier for systems implementing ABCs to exchange messages with each other resulting in a worldwide credentials ecosystem where users can choose which apps they use and can “talk” to service providers deploying different systems.

In my research I am analyzing how IRMA can be changed to comply to the datamodel, and what for effects it has on the privacy- and security-properties IRMA guarantees. Possibly, I can also give recommendations to the W3C on what can be improved within the datamodel in a new version.

After I finished my research, I will happily announce this here on the blog and share a link to the final thesis with you.