One of the problems with the idea of a pseudonym service distinguishing between "good" and 'bad" users is that it has no way on its own of telling the difference. The service manages pseudonyms, which are intended to be used out on the web in some way. But the service can't tell if people are playing nicely or not. The only way this could happen is if the service receives *complaints*. This is the only feedback mechanism possible. I gather that Tor does in fact send out complaints about people who misbehave. Perhaps blog services do so as well. One problem is that these complaints generally don't arrive in real time. It takes time for a human being to notice that some vandalism has occured and register a complaint. If the pseudonym service is going to be able to respond, it has to know which pseudonym was active at the time the bad actions occured. Jimmy Wales very accurately describes the problem with pseudonyms at the web-server level. If Wikipedia or blog comments require the use of pseudonyms, these can be linked after the fact. I am very sensitive to this problem myself. The implied solution is that the pseudonym service would maintain the pseudonyms, but would not reveal them to the web service. Rather, it would only provide a certificate that the pseudonym is currently in good standing, i.e. it has not received (too many) complaints. This implies that the pseudonym service must maintain a record of recently used pseudonyms, and have some way of mapping them to what the web services (which issue the complaints, services like Wikipedia) would have seen. This mapping might be by IP address, or if Wikipedia and other services are willing to do more, it could perhaps be an opaque identifier which the pseudonym service provided at the time the web service (Wikipedia) asked whether this pseudonym was a "good guy" or not. As a specific example, the pseudonym service might have replied, to a query from Wikipedia, "Yes, this user is a good guy, and the sequence number of this reply is #1493002." Then later if abuse occured, Wikipedia (or the blog service, or other victim of vandalism) comes back and said "we had a problem with the user who was certified with sequence number #1493002". The pseudonym server would map this back to the pseudonym in use at that time, and invalidate the pseudonym (or at least give it a bad mark, with enough such marks killing the nym). The main problems with this solution are first, it requires considerable manual work on the part of the pseudonym server, similar to the work necessary at an ISP to resolve complaints about users. It could be a full time job. And second, it requires custom software at Wikipedia and other web services that might be willing to work to implement such a solution. The second problem could be alleviated by the use of a related service, a web proxy that is only for "good" pseudonyms. The web proxy would provide transparent pass-through similar to anonymizer.com, but only for users who were able to provide the kind of certification described above, from the pseudonym server. In this way, the outgoing IP addresses belonging to the web proxy would be "good" from the POV of Wikipedia and other web services. Those services could continue to use IP blocking as one of their main tools for handling misuse, treating the web proxy service as being like an ISP. The web proxy service could be bundled with the pseudonym service, or they could exist independently. CP ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]