-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
As suggested by Tor Project's helpdesk, I'm forwarding this message to tor-dev, in hopes that I might be able to evoke any useful references, suggestions or commentary.
- ---------- Forwarded message ---------- From: Matt Pagan via RT help@rt.torproject.org Date: Fri, Jun 7, 2013 at 4:42 PM Subject: [rt.torproject.org #10568] Adapting 'tag' URI into p2p identity authentication system To: datapacrat@datapacrat.com
You should subscribe to the tor-dev mailing list and bring this up on that public mailing list: https://lists.torproject.org
On Fri Jun 07 18:02:44 2013, datapacrat@datapacrat.com wrote:
I'm working on the initial stages of a project which seems likely to be of use to many who use the Tor protocol; and which could itself likely benefit from the experience of the people who build and use Tor extensively.
I am currently looking into creating a new URI based on 'tag:' ( http://www.taguri.org/ , https://tools.ietf.org/html/rfc4151 ) to use for distributed reputation systems. I would like a common protocol so that this idea can be easily expressed: "Authority A says that X and Y are the same person" (with an optional field for the certainty of that statement) (with an optional comment field) (with an optional authentication hash). It seems likely to be simple to implement the new URI (perhaps called 'nym:') in existing mail/contact software, so that nym: links can be automatically imported into contact lists to update them.
Might you be interested in helping me work this out; or pointing me in the direction of anyone else who might be?
Here's an initial draft of what I mean:
nym:Authority[,DateTime]:(Identity1)[,date];(Identity2)[,date][;(Identity3)[,date]][?comment1[&comment2][#authenticationHash]
While based on 'tag:', there are a number of changes from that URI's format:
The authority can be not only an email address or a domain name, but some other identifier, such as the URL of a social media profile, such as http://twitter.com/DataPacRat or http://www.facebook.com/DataPacRat .
The date is no longer limited just to a particular date, but can be specified (using ISO 8601 format) down to a particular second, for any rapidly-changing identities.
The identities can be plaintext names, social media profile URLs, library card numbers, or any other chosen identifiers; though regularly-formed URIs, email addresses, and domain names are most likely to be most common.
The comment fields are left incompletely defined, to allow for future expansion; such as to indiciate trustcloud whuffie scores, how the authority knows the individual being identified, or anything else that someone comes up with. It seems a good idea to suggest the use of existing fields from vCard and FOAF, to ease interoperability.
By default, if a comment field is a number, that number is assumed to be how confident the authority is that all the listed identifiers all refer to the same individual, measured in decibans. (Decibans are logarithmic, with 0 decibans being equivalent to 1:1 odds, or being 50% confident; 10 decibans to 10:1 odds, or ~90% confident; 20 decibans to 100:1 odds, or ~99% confident; and so on.) It is recommended that these numbers be integers, unless there is a specific reason to be able to specify confidence to greater accuracy; and with a magnitude under 128, as it requires extraordinary effort to have 100 decibans of confidence for even the most fundamental facts.
(This method also implicitly allows for revocation of an identity referral, simply by using a negative number instead of a positive one.)
The authentication hash is to provide strong evidence that the listed authority is actually the one making the assertion. By default, it is assumed to be based on whatever public cryptographic key (eg, PGP/GnuPG or X.509) is linked to the listed authority ID; and that what is being signed is the string of text before the hashmark.
This could allow for something like the following:
nym:datapacrat@datapacrat.com:(datapacrat@datapacrat.com),2013-06- 05;(http://twitter.com/DataPacRat),2013-06-05;(Daniel Eliot Boese)?100&TrustCloud,774&Klout,29#randomhashofletters
... to indicate that as of that particular date, I indicate with maximum confidence that my name, email address, and Twitter account all point to me, and that I have two social media scores. (I would have used 127 decibans instead of 100 if I'd just been asserting my own identity.)
Thank you for your time, -- DataPacRat "Then again, I could be wrong."