From: tmp@netcom.com
these identification systems ultimately fall back on `real world' identification systems such as birth certificates, social security numbers etc. which all can be readily subverted by a determined adversary.
I believe RSA requires a notarized statement, where you have presented the notaries with three forms of ID. I would imagine that notaries have some experience with false ID, but no doubt they can be fooled with sufficient effort. Still, for the kinds of applications we are talking about here (chatting on the net) this is probably adequate. For more security you could require a thumbprint which is compared with others on file.
what, specifically, is problematic about these? does chaum just ignore them? does he describe them in greater detail?
Chaum was writing more about financial relationships with creditors, businesses, etc. My translation of his ideas into the cyberspace author- ship arena was not something he discussed directly.
as for `endorsements for unknown endorsers', it seems to me the reputation system you refer to is a sort of `reputation web' not unlike the pgp `web of trust' model. a pseudonymous credential has as much weight as the pseudonym originating the certification. i.e., if `a' signs `b's pseudonym, that `edge' in the `reputation graph' has as much weight as `a' has reputation. that is, it should not be possible to create a whole bunch of new pseudonyms, have them all sign each other, and then increase your reputation.
In one way it is easier than with pgp. With pgp we are trying to guess whether a person is really who he says he is. This has all sorts of real- world implications, and as tmp points out these are hard to verify. With reputation systems what you really want to know is whether a person's endorsements are valuable. Over time you can basically decide this for yourself, by judging whether those authors recommended by a given person are ones which you consider good. Those endorsers whose opinions match your own would be the ones you pay the most attention to.
this brings up an interesting idea. future cyberspatial citizens may develop an elaborate netiquette that describes how to maximize one's advantage through the use of pseudonyms. all kinds of strategies will ensue. is it better to have a few good pseudonyms, without diluting reputation, or a whole bunch of pseudonyms but a bit more diluted reputation?
With Chaum's system it should not necessarily dilute your reputation to use a lot of pseudonyms. OTOH, you are right that informal reputations will not carry over, and in practice these will be important.
one of the problems with a positive reputation system is that it would workd for `d-type people' <g> whose reputation is primarily negative. a whole lot of people would like to put a negative credential on `d' so that they would limit his influence in all forums he visits, similar to the way that one could globally encourage someone else through `accreditation'. `d' would simply not propagate any negative signatures to his pseudonyms.
Negative endorsements, and negative credentials in general, are difficult to achieve. Chaum's paper has some discussion of these but it is hard to follow. The simple blinded signature model provides a pretty simple way to allow only one pseudonym per True Name in a given forum, if you assume there is some way to distinguish people in the real world. Suppose Cypherwonks wanted only one person per nym. And suppose there was an agency which was able to distinguish people, that is, it could tell when it had seen the same person twice. Now, Cypherwonks asks this agency to give a single blinded signature of a type (exponent) which is unique to that list, to anyone who wants it, but such that nobody gets more than one. To be accepted on the Cypherwonks list, then, somebody would have to show a signature of this particular type, different from everyone else's. Each person could only get one such token, which Chaum has called an is-a-person credential (again, this is a simplification of his idea, I think). Now tmp has what he wants, the ability for a list to have only one nym per person. And in such a situation, negative reputations are important, because you only get one chance and can't start over with a new nym.
could such a negative signature system be constructed? it seems possible with a centralized `trusted' server, but this is not an ideal solution; ideally one would like the system to be possible from the independent interactions of people who trust only themselves. this of course is the ideal cryptographic model, and the very best and finest algorithms (e.g. rsa) conform to it.
Well, you have to trust that the agency which is verifying uniqueness of identity doesn't cheat. But note that the agency does not get any great privacy-infringing power, as they don't have to know the True Names or identities of the people they are endorsing, and they don't know their pseudonyms (since those are blinded when they are signed).
the problem is similar to preventing double spending in a cash system. how do you enforce that a person `spends' a certain amount of information? there are no `laws of the conservation of information' as their are of e.g. mass as with a paper currency. in fact maybe the double-spending preventative techniques for cash systems could be translated to get a negative reputation and prevent people from not displaying credentials, even negative ones, they have accrued (just in the way people are forced to reveal if they are `printing money', i.e. spending spent money)
Chaum did, as I said, have some concept about revealing negative credentials, perhaps along the lines you are suggesting. As I followed his ideas (which wasn't very well), you would have to submit an "I'm not a jerk" credential with each posting, and the only way to get another such token would be to get back a response from your posting saying, "OK, you're still not a jerk." But if you posted some trash ("Death to BlackNet") then you wouldn't get back that "OK" token and you'd have lost your "not a jerk" token for good. This would work best in a situation where there was one nym per person, otherwise he could use his other nyms to endorse his worthless trash. (I posted a variation on this idea a couple of weeks ago as a way of handling anonymous remailer complaints without breaking the anonymity of the remailer user. A similar token-and-response system was used, also based closely on the blinded signature system in Magic Money.)
personally i like chaum's emphasis (or recognition) that forums exist such that restricting pseudonymity in them is natural, fair, and rational, i.e. a desirable design goal. it seems to me that even beyond this, people should be able to construct forums where they demand (or comply, or agree, or whatever) that identity be known, or that it be totally ignored. given all this inquisitional witchhunting of my `true identity' (whatever the !@#$%^&* that is), obviously this forum is in the former category <g>
Well, Larry, you have to realize that you caused us enormous hassle several months ago, so it's natural that people will be somewhat hostile. Other pseudonymous posters have not stirred nearly so much interest (with the possible exception of Xenon, who had some of your own tendencies to rant at length). However, in your new incarnation I find your postings much more interesting.
what do you think, cpunks, should you have the right to ignore people regardless of the pseudonyms they use? again, i ask if it is possible to construct a system that protects anonymity but at the same time allows someone to filter all pseudonyms associated with another person. it seems that we have reached an impasse -- these are two very useful design criteria but they appear to be contradictory. on one hand we would like to censor all the `d-type' pseudonyms, but on the other hand we would want a `clean slate' for all of our own.
Chaum has some discussion about how you can go to library A and borrow a book, proving that you have no overdue books at libraries B, C, D, ..., without compromising your anonymity. This sounds analogous to proving that you have no negative credentials from other cyberspace forums. Unfortunately, this is a part of his paper I need to read more times to understand. Hal