--- begin forwarded text
Delivered-To: clips@philodox.com
Date: Fri, 30 Sep 2005 23:10:27 -0400
To: "Philodox Clips List"
From: "R.A. Hettinga"
Subject: [Clips] nym-0.2 released (fwd)
Reply-To: rah@philodox.com
Sender: clips-bounces@philodox.com
--- begin forwarded text
Delivered-To: cryptography@metzdowd.com
Date: Sat, 1 Oct 2005 02:18:55 +0000 (UTC)
From: Jason Holt
To: cryptography@metzdowd.com
Subject: nym-0.2 released (fwd)
Sender: owner-cryptography@metzdowd.com
---------- Forwarded message ----------
Date: Sat, 1 Oct 2005 02:18:43 +0000 (UTC)
From: Jason Holt
To: or-talk@seul.org
Subject: nym-0.2 released
nym-0.2 is now available at:
http://www.lunkwill.org/src/nym/
My tor server is currently down, so I can't set up a public trial of
this, but
perhaps someone else will. This release makes the following improvements:
* Tokens are now issued one-per-IP to clients via a "token" CGI script.
Tokens
are still blindly issued, so nobody (including the token issuer) can
associate
tokens with IP addresses. The list of already-served IPs could be
periodically
removed, allowing users to obtain new pseudonyms on a regular basis.
(Abusers
will then need to be re-blocked assuming they re-misbehave).
* A token can be used to obtain a signature on a client certificate from a
separate "CA" CGI script (potentially on a different machine). Tokens can
only
be "spent" to obtain one cert. Code to make a CA, client certs and have the
certs signed is included.
* The CA public key can be installed on a third web server (or proxy) to
require that users have a valid client certificate. Servers can maintain a
blacklist of misbehaving client certs. Misbehavers will then be unable to
access the server until they obtain a new token and client cert (via a new
IP).
My proposal for using this to enable tor users to play at Wikipedia is as
follows:
1. Install a token server on a public IP. The token server can optionally be
provided Wikipedia's blocked-IP list and refuse to issue tokens to offending
IPs. Tor users use their real IP to obtain a blinded token.
2. Install a CA as a hidden service. Tor users use their unblinded tokens to
obtain a client certificate, which they install in their browser.
3. Install a wikipedia-gateway SSL web proxy (optionally also a hidden
service)
which checks client certs and communicates a client identifier to MediaWiki,
which MediaWiki will use in place of the REMOTE_ADDR (client IP address) for
connections from the proxy. When a user misbehaves, Wikipedia admins
block the
client identifier just as they would have blocked an offending IP address.
-J
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
--- end forwarded text
--
-----------------
R. A. Hettinga
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips@philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'