Hello directly from Jimbo at Wikipedia

David Benfell benfell at greybeard95a.com
Wed Sep 28 03:16:50 UTC 2005 

On Tue, 27 Sep 2005 17:25:07 -0700, cypherpunk wrote:
> 
> Looking at the proposals for authentication servers and such, I see a
> major issue which is not being addressed. That is, how does the web
> server distinguish "authenticated" Tor users from unathenticated ones?
> If this is via a complicated protocol, there is no point as the
> servers won't use it.
> 
There would have to be some kind of inconvenient to obtain key
involved.  And it would probably have to expire at relatively short
intervals.

> The hard truth is this: the distinction must be done on the basis of
> IP address. That is, there must be a separate set of Tor exit nodes
> which are only for authenticated users.

Except that a good deal of the verbiage on this thread has illustrated
the shortcomings of IP addresses.  You asked how a web server would
distinguish between authenticated and unauthenticated Tor users; your
suggestion would require the Tor server to authenticate users.

The moment you authenticate, you are no longer anonymous.  Hence Tor
no longer serves the purpose for which it is intended.
> 
> The technical problem is then, how to achieve as much anonymity as
> possible in the authenticated network, while still providing the abuse
> prevention services which Wikipedia and other servers will require in
> order to whitelist the nodes.
> 
This is not a technical problem.  What you propose is a fundamental
contradiction.  It is a logic problem which cannot satisfactorily be
addressed at the technical level.

> To solve the problem we would need to use some cryptographic
> mechanism. Let authenticated users gain credentials via some
> expensive, slow process. Let them embed the credentials in their
> messages such that they are revealed in some blinded form to the exit
> node. Let the exit nodes remember the credentials which were used at
> different times. When valid complaints arrive, let the exit nodes
> blacklist the credential which was in use at that time. This stops the
> abuser.

I'm thinking of web cookies.  These are already a well-developed
technology.  They work for all kinds of sites that require
authenticated access.

Now, let's be clear about the anonymity that Wikipedia hopes to
preserve.  In fact, they are claiming that they are blacklisting Tor
(and I presume other anonymous) IP addresses, because anonymous users
vandalize Wikipedia entries.  They say they don't want to identify
users, but the policy of blocking users by IP address assumes that a
user is identified by that IP address.

Therefore, Wikipedia is using IP addresses to identify abusers.  Just
like I blacklist IP addresses of SMTP servers that send me spam.  It
is not be a perfect identification; I *know* that I miss out on
legitimate e-mail.  But it is identification--and therefore, I am
treating no IP address as anonymous.

So if Wikipedia is going to block based on IP address, then they too
must drop the fiction that they are preserving anonymity.  They
aren't.  For either a user can be identified through an IP address or
they are refusing edit access.

-- 
David Benfell, LCP
benfell at parts-unknown.org
---
Resume available at http://www.parts-unknown.org/

More information about the tor-talk mailing list