Wikipedia and Tor - a solution in the works?
Jason Holt
jason at lunkwill.org
Mon Oct 31 08:41:06 UTC 2005
On Mon, 31 Oct 2005, Matthias Fischmann wrote:
> nym (and in any other IMHO reasonable architecture) is baesd on the
> idea that a user provides some credential like an IP address or
> (slightly more effective) an e-mail address that is hard to replicate
> in huge amounts.
If we're talking about pseudonymity in general, the most natural formulation
is that nyms are merely unforgeable. So for example, Lucky Green has a
published PGP key, and an excellent reputation under his pseudonym.
Wikipedia is willing to permit pseudonyms issued under an ideal constraint of
1-per-person, which they approximate using IP addresses.
> this is where nym comes in. it hides the IP address from wikipedia,
> replacing it with a token that is exactly as hard to obtain as an IP
> address, but detached from the user's real identity. the
> authentication server knows which IP address gets a token, and that no
> IP address gets more than one token, but doesn't know the mapping
> between IP addresses and tokens. wikipedia can only see tokens, but
> no IP addresses (except those of tor nodes), but trusts the
> authentication server not to issue several tokens to the same address.
Quite correct. (Well, nym assumes you'll trade your token for a more
convenient client certificate, but it's basically isomorphic since tokens map
1-to-1 with certificates).
> if wikipedia is unhappy with a user, it bans that user's token (with
> the same effect as banning an IP address if there was no tor network).
> if a blog site is perfectly happy with that same user, that site
> doesn't ban her token, and she can keep blogging like mad, until she
> gets banned here, too. the authentication server is not involved in
> the punishment and excommunication on either site at all. its only
> job is to detach identifying and anonymous credentials in a way that
> makes sybling attacks hard.
A reasonable proposition, although other configurations are possible. Each
service can run its own token/CA servers, or they can aggregate. Aggregation
is good for user privacy, isolation is good for control (eg., wikipedia can
tell the token server not to hand tokens to already-banned IPs).
> as i understand the architectures anthony and cypherpunk propose, it
> doesn't have these properties. nym does.
Cyphrpunk proposes using the more recent credential architectures which reduce
inter-transaction linkability without compromising server ability to ban.
They're really neat, but complicated and patent encumbered.
-J
More information about the tor-talk
mailing list