With the Report "Architecture for Attribute-based Credential Technologies" (Privacy ABCs) the ABC4Trust consortium published the first version of the architecture design for the deployment of Attribute-based credentials. The ABC4Trust project will brings this privacy preserving technology to life in two pilots. The first pilot provides a social network for pupils in a secondary school in Söderhamn, Sweden. The second pilot will allow anonymous yet securely authenticated evaluation of classes at the University of Patras, Greece.
The architecture report provides the basis for the pilots and describes central aspects of the technology as it will be deployed in ABC4Trust. The architecture report has been designed to decompose future (reference) implementations of Privacy-ABC technologies into sets of modules and specify the abstract functionality of these components in such a way that they are independent from algorithms or cryptographic components used underneath.
The report also provides an analysis regarding the applicability of the ABC4Trust architecture to the popular existing identity protocols and frameworks such as WS-*, SAML, OpenID, OAuth and X.509.
The goal of ABC4Trust is to address the federation and interchangeability of technologies that support trustworthy yet privacy-preserving Attribute-based Credentials (Privacy-ABC).
Towards this goal, one of the main objectives of the project is to define a common, unified architecture for Privacy-ABC systems to allow comparing their respective features and combining them on common platforms. The first version of this architecture is described in the deliverable at hand. Its main contribution is the specification of the data artifacts exchanged between the implicated entities (i.e. issuer, user, verifier, revocation authority, etc.), in such a way that the underlying differences of concrete Privacy-ABC implementations are abstracted away through the definition of formats that can convey information independently from the mechanism-specific cryptographic data. It also defines all technology-agnostic components and corresponding APIs a system needs to implement in order to perform the corresponding operations, i.e. to process an obtained issuance/presentation policy, perform the selection of applicable credentials for a given policy or to trigger the mechanism-specific generation of the cryptographic evidence.
How Privacy-ABCs can be applied in existing identity protocols and frameworks such as WS-*, SAML, OpenID, OAuth and X.509 and how Privacy-ABCs can help to alleviate some of the security, privacy and scalability issues of these protocols is also discussed.