New members of the list may not be aware of the background of some of the technologies we discuss here, such as the remailers. The purpose of these systems is not really to help people mailbomb newsgroups or send harassing letters to their fantasy girlfriends without fear of repercussions. One goal of remailer-type technology (which present systems don't meet very well) is to allow people to use pseudonyms for their electronic activities. By using a "nym" a person is able to engage in communications of various types without fear that some aspect of what they say or do will impact them negatively in "real life". There are a lot of potential forms of harm which could arise now and in the future from databases recording the various interactions a person has had in cyberspace. By preventing the linkage between his online activities and his real identity he can protect himself and his privacy. At the same time, nyms allow for continuity of identity to be maintained over a period of time. A person posting under a nym can develop an image and a reputation just like any other online personality. Most people we interact with online are just a name and an email address, plus whatever impression we have formed of them by what they say. The same thing can be true of nyms. Cryptography plays an important part in making effective use of nyms possible. The first thing it can do is to allow users to send and receive messages under the name of their nyms without anyone discovering the True Name (capitalization from Vinge's short story "True Names") behind the nym. Cryptographer David Chaum has proposed two technologies for this; the network of "Mixes", on which our own remailers are modeled; and the so-called "Dining Cryptographers' Network" (DC-Net), which allows a cooperating group to send messages in such a way that it is not possible to tell which member of the group originated each message. Cryptography can also help maintain the continuity of the nym, by allowing the user to digitally sign messages under the name of the nym. The digital signature cannot be forged, nor can it be linked to the True Name of the user. But it makes sure that nobody can send a message pretending to be another person's nym. These techniques are already in use or under development, in some form or another. But there is much more that could be done to provide privacy protection and flexibility in the use of nyms. One possibility is a digital reputation system. Presently people and nyms develop informal reputations in the minds of their readers. This could be formalized by allowing readers to create endorsements of various types for those who have worthwhile things to say. An endorsement could take the form of a digital signature by the endorser. In the simplest form, the endorser would digitally sign a message which said, in encoded form, "In my opinion, person (or nym) XXX produces high-quality messages". This endorsement would be kept by the person it was given to and shown when he enters a new cyberspatial forum to help establish an initial reputation. People who are able to bring a variety of endorsements from respected individuals or organizations will be able to have their words carry weight from the beginning. Without these, a new poster may find that not many people can even be bothered to read his messages amongst the flood of others. The endorsements can break through the barriers, the filters which people use to decide what information to receive. They represent a digital reputation which can be carried to distant regions of cyberspace. One could imagine more elaborate forms of endorsements, as well. Chaum describes a technique by which a numerical rating could be given, say on a scale from 1 to 100. Because of the mathematical structure of Chaum's approach, a person who carries such an endorsement can optionally downgrade it when he shows it. Suppose some paragon of wisdom has dozens of "100" endorsements from respected individuals. Entering a new group, he may not want to intimidate people, so he displays his endorsements as a respectable "70+". This lets him be heard without overwhelming other participants. Pseudonyms can prevent messages from being linked to True Names, but there is still a privacy problem as information accumulates about the nym itself. As more and more activities take place online, if one uses the same nym all the time, the buildup of information about that nym, his preferences, his favorite places to go in cyberspace, his political views, etc., may become burdensome. All that baggage accumulates and is easily available to others. It may become as much of a barrier to a nym's online activities as it would have been to the True Name's real-life activities. One solution is to use a nym for some purposes and the True Name for others. Then the information about the two is separate and nobody can link them up. This helps, but after a while again there is an accumulation of information about both names, which is what we wanted to avoid. A better solution is to use multiple nyms, perhaps with different nyms in different online fora. Even the True Name could be used occasionally where warranted (such as in an online relationship where physical contact occurs as well). Nyms could be changed periodically as well, preventing the buildup of information about any given nym. One problem is that the simple reputation system above does not work with multiple nyms. If you get a digital endorsement of one nym in the form described before, you will not be able to use that endorsement on your other nyms without giving away the connection between them. And when you retire that nym and replace it with a new one, the endorsement is lost. This is the problem which Chaum solves in his paper, "Showing Credentials without Identification; Transferring Signatures between Unconditionally Unlinkable Pseudonyms," from AusCrypt 90. (A newer version of this paper may be available from Chaum.) He provides a method by which various forms of "credentials", which would include the endorsements described here, can be transferred among the nyms used by an individual, without giving away information about which nyms are related. Chaum's system is complicated and requires a centralized agency which gives out all endorsement certificates, as well as an agency which validates pseudonyms. His system does allow for optional restrictions on nyms which, for example, would allow only one nym to be used in any given online forum. A user would not be able to control two different nyms in that place, although he could have different nyms in other parts of cyberspace. There might be some situations in which this duplication could be harmful (such as certain kinds of online voting systems) and Chaum's method does allow this restriction. A simpler system, though, can be created with technology very similar to the "Magic Money" digital cash system created by the nym "Pr0duct Cypher." This system does not require any centralized control and allows individuals to make endorsements without help. It is somewhat less efficient than Chaum's approach but could be put into place more easily. The basic idea uses what Chaum calls a "blind signature". Above, the endorsement certificate was described as a digital signature on a coded message which named the nym or person being endorsed, as well as some information about the type of endorsement. With a blind signature, the signer does not see the message he is signing. It is supplied to him in a "blinded" form, he signs it, and then the person who supplied the message unblinds it. What is left is a signed message whose contents are not known by the person who signed it. This technology can be used directly to create blind endorsements. Suppose nym 123, who sometimes also uses the nym 456, gets an offer to receive a "good writing" endorsement from user U. He can supply U with a blinded message which says, in effect, "nym 456 has good writing". U does not see the contents of the message when he signs it, so he does not know that nym 456 is another name for nym 123. But when 123 gets the message back from U, he unblinds it to create an endorsement from U on nym 456. In order to control the type of endorsement ("good writing", etc.), that information is not put in the text of the message, but is determined by the exponent used in the digital signature. Each user would need to publish a table mapping exponents to types of endorsements (or perhaps such a table would be standardized over all users). And since nym 123 may actually have many pseudonyms in use, he would actually need to collect a large number of blind endorsements from U. In practice he would supply U with a large block of blinded endorsements, U would sign them knowing that they were all different pseudonyms of 123's, and 123 would keep them for use as needed. 123 could even include his True Name to receive a blind endorsement, as well as other pseudonyms he hadn't used yet. All of these would be capable of being shown with U's endorsement. Even when the original nym 123 was retired, other nyms which had received that endorsement could be put into use and they would carry the same stamp of approval. This system would allow very flexible use of pseudonyms while allowing the user to show endorsements and other forms of credentials without compromising his privacy. And the technology to do this is very close to systems already in use today, at least in its cryptographic aspects. The social problems of determining when writers should receive endorsements, how much credence to give to endorsements from unknown endorsers, how to appropriately display endorsements, and how to easily validate and verify endorsements proffered by others, are harder to solve. Despite these issues, a modification to Magic Money to support this application would allow for some initial experiments with the concept, which might help show where the significant problems lie. Hal Finney hfinney@shell.portal.com