nym-0.2 released (fwd)

Sat Oct 1 22:27:32 UTC 2005

On 9/30/05, Jason Holt <jason at lunkwill.org> wrote:
> http://www.lunkwill.org/src/nym/
> ...
> My proposal for using this to enable tor users to play at Wikipedia is as
> follows:
>
> 1. Install a token server on a public IP.  The token server can optionally be
> provided Wikipedia's blocked-IP list and refuse to issue tokens to offending
> IPs.  Tor users use their real IP to obtain a blinded token.
>
> 2. Install a CA as a hidden service.  Tor users use their unblinded tokens to
> obtain a client certificate, which they install in their browser.
>
> 3. Install a wikipedia-gateway SSL web proxy (optionally also a hidden service)
> which checks client certs and communicates a client identifier to MediaWiki,
> which MediaWiki will use in place of the REMOTE_ADDR (client IP address) for
> connections from the proxy.  When a user misbehaves, Wikipedia admins block the
> client identifier just as they would have blocked an offending IP address.

All these degrees of indirection look good on paper but are
problematic in practice. Each link in this chain has to trust all the
others. Whether the token server issues tokens freely, or the CA
issues certificates freely, or the gateway proxy creates client
identifiers freely, any of these can destroy the security properties
of the system. Hence it makes sense for all of them to be run by a
single entity. There can of course be multiple independent such
pseudonym services, each with its own policies.

In particular it is not clear that the use of a CA and a client
certificate buys you anything. Why not skip that step and allow the
gateway proxy simply to use tokens as user identifiers? Misbehaving
users get their tokens blacklisted.

There are two problems with providing client identifiers to Wikipedia.
The first is as discussed elsewhere, that making persistent pseudonyms
such as client identifiers (rather than pure certifications of
complaint-freeness) available to end services like Wikipedia hurts
privacy and is vulnerable to future exposure due to the lack of
forward secrecy. The second is that the necessary changes to the
Wikipedia software are probably more extensive than they might sound.
Wikipedia tags each ("anonymous") edit with the IP address from which
it came. This information is displayed on the history page and is used
widely throughout the site. Changing Wikipedia to use some other kind
of identifier is likely to have far-reaching ramifications. Unless you
can provide this "client idenfier" as a sort of virtual IP (fits in 32
bits) which you don't mind being displayed everywhere on the site (see
objection 1), it is going to be expensive to implement on the wiki
side.

The simpler solution is to have the gateway proxy not be a hidden
service but to be a public service on the net which has its own exit
IP addresses. It would be a sort of "virtual ISP" which helps
anonymous users to gain the rights and privileges of the identified,
including putting their reputations at risk if they misbehave. This
solution works out of the box for Wikipedia and other wikis, for blog
comments, and for any other HTTP service which is subject to abuse by
anonymous users. I suggest that you adapt your software to this usage
model, which is more general and probably easier to implement.

CP