Wikipedia and Tor - a solution in the works?

Jason Holt jason at lunkwill.org
Mon Oct 31 08:41:06 UTC 2005 

On Mon, 31 Oct 2005, Matthias Fischmann wrote:
> nym (and in any other IMHO reasonable architecture) is baesd on the
> idea that a user provides some credential like an IP address or
> (slightly more effective) an e-mail address that is hard to replicate
> in huge amounts.

If we're talking about pseudonymity in general, the most natural formulation 
is that nyms are merely unforgeable.  So for example, Lucky Green has a 
published PGP key, and an excellent reputation under his pseudonym.

Wikipedia is willing to permit pseudonyms issued under an ideal constraint of 
1-per-person, which they approximate using IP addresses.


> this is where nym comes in.  it hides the IP address from wikipedia,
> replacing it with a token that is exactly as hard to obtain as an IP
> address, but detached from the user's real identity.  the
> authentication server knows which IP address gets a token, and that no
> IP address gets more than one token, but doesn't know the mapping
> between IP addresses and tokens.  wikipedia can only see tokens, but
> no IP addresses (except those of tor nodes), but trusts the
> authentication server not to issue several tokens to the same address.

Quite correct.  (Well, nym assumes you'll trade your token for a more 
convenient client certificate, but it's basically isomorphic since tokens map 
1-to-1 with certificates).


> if wikipedia is unhappy with a user, it bans that user's token (with
> the same effect as banning an IP address if there was no tor network).
> if a blog site is perfectly happy with that same user, that site
> doesn't ban her token, and she can keep blogging like mad, until she
> gets banned here, too.  the authentication server is not involved in
> the punishment and excommunication on either site at all.  its only
> job is to detach identifying and anonymous credentials in a way that
> makes sybling attacks hard.

A reasonable proposition, although other configurations are possible.  Each 
service can run its own token/CA servers, or they can aggregate.  Aggregation 
is good for user privacy, isolation is good for control (eg., wikipedia can 
tell the token server not to hand tokens to already-banned IPs).


> as i understand the architectures anthony and cypherpunk propose, it
> doesn't have these properties.  nym does.

Cyphrpunk proposes using the more recent credential architectures which reduce 
inter-transaction linkability without compromising server ability to ban. 
They're really neat, but complicated and patent encumbered.

 					-J

More information about the tor-talk mailing list