Privacy Enhancing Credential
Full Title or Meme
A collection of private and secret data that can be used to prove an assertion in a manner that does not release more private information than absolutely required for the purpose described. Perhaps that term is used to indicate a mobile computer device, which is the preferred technology solution.
- Regardless of any technology used to protect user data in a credential, it serves no purpose if it is not limited to use in a protected Ecosystem.
- In some contexts, the term "Privacy Enhancing Credential" is used, although there are very few use cases where a credential is not mobile even when it is just a driver's license in a holder's pocket.
- Simple credentials that do not rely on secrets to protect user data are not considered to be of any value as a Privacy Enhancing Credential.
- As a general rule, private data is released only when the user agrees, and secret data is never released. This definition does not apply to private keys, which are seldom released and only in the most secure circumstances, like when a private key is used in several servers that provide the same security service. That would also be the case when the user had more than one mobile Smartphone and desired to have the same functionality on both devices.
- Perhaps the simplest Ecosystem is a Smart Card which comes with secure private key generation and cannot export the key.
- The Credential could be included and used entirely within the context of a Trusted Execution Environment, or a secure enclave and its resident software.