Hello directly from Jimbo at Wikipedia

Paul Syverson syverson at itd.nrl.navy.mil
Thu Sep 29 13:56:19 UTC 2005


Some points of clarification that I hope will help:

(1) On anonymity and authentication/pseudonymity/etc.

All versions of Onion Routing, including Tor,  were designed to separate
identification from routing.  The slogan way that I have put this for
the last five or six years is:

 Onion Routing is about anonymizing the communication pipe, not what
 goes through it.

The devil's always in the details, but as one-line summaries go, I
think that sums it up pretty well.{1}

(2) On various pseudonym authentication or anonym
authentication{2}, etc. approaches to solving the problem at hand.

Some of this is ultimately necessary for various applications,
especially once the Internet looks as Geoff described it. (In fact I
think it's one precondition to realizing anything like that vision.)
But I'm dubious about any of those proposed to date here providing
enough friction to identifier acquisition to deter abusers but not
honest users in this context. They may be worth trying.  Roger's
suggestion about the temporary IP blocks and Steven's about the
separate puzzle servers come to mind, probably some others I'm
forgetting just now.  But as Roger says, somebody's gotta code them
up---and probably much more work---deploy them, maintain them, and
evaluate their effectiveness, all on the Tor-Wikipedia frontier.  I
suspect that the abuser who goes postal as Jimmy described is willing
to waste lots of time acquiring IDs, but perhaps stereotypes about
attention span are close enough to true for some of the proposals to
be effective.  I had my own proposal that doesn't rely on any of this,
and that could be implemented and deployed in a few days (OK after
spending at least a few months or so thinking about the design, the
engineering, and the implications.) In the spirit of mutt: All these
ideas suck; I just think that one sucks a little less.


-------------------------------------------------------------
{1} Some further specifics for (1)

Anonymity and identification/authentication can be entirely
compatible. By this I mean that one can be anonymous (to everyone) as
far as one identifier goes but authenticated (to a specific protocol
principal) wrt another as part of the same communication. This has
been an intentional part of the design of every Onion Routing system
including Tor.  It contrasts with systems like Crowds, which was
directed at distinct but related security properties, thus they made
anonymity of the circuit inherently depend on the anonymity of the
data passing over it. As a specific example of using Tor for
authenticated communication over anonymous circuits, when travelling I
often need to log back into NRL to check mail and do other things. I
do this via ssh over Tor. That way the local hotel staff, ISP staff,
any other network observers don't see me logging in to NRL. But I can
assure you that I want to make sure I am going to NRL and no place
else and that I want to make sure only I, and no one else, succeeds in
accessing my account. (And Jimbo, in my experience, it has been
realtime enough to be editing in vi or emacs with no noticeable
trouble over this line. I can't say that someone who expects permanent
T1 rate downloading is going to be happy with Tor, but you should check it
out and see the performance for yourself over a few days, rather than
relying on the reports you've heard.)

I also discussed this in my testimony to the National Academy of
Engineering panel that did a study of authentication and privacy
several years ago. (Cf. _Who Goes There?  Authentication Through the
Lens of Privacy_ from the National Academies Press.)

As many have noted, Tor has enough of a job trying to do one thing
well.  Trying to do more things will just mean it does that thing less
well or later. But that does not preclude designing to be compatible
with other things, e.g., privoxy to somewhat sanitize, i.e., anonymize
web traffic over Tor, or connect to enable authenticated communication
via ssh over Tor.  (There's a program named `connect' in case you had
trouble parsing that.) The discussion now is how to make Tor and
Wikipedia compatible, the interface as Nick put it.

{2} Yes you can authenticate someone who is anonymous from you.
Besides various group signature approaches, cf., e.g., my papers on
UST (Unlinkable Serial Transactions), or look at the proposal for
common terminology (new version recently out) at

http://dud.inf.tu-dresden.de/Anon_Terminology.shtml

What we called an `anonym' in the UST work and elsewhere they call a
`transaction pseudonym'.
-------------------------------------------------------------



More information about the tor-talk mailing list