on anonymous IPSec (fwd from hal@finney.org)) User-Agent: Mutt/1.4.1i Sender: owner-cryptography@metzdowd.com Joe Touch <touch@ISI.EDU> wrote:

...

The point has nothing to do with anonymity;

The last one, agreed. But the primary assumption is that we can avoid a lot of infrastructure and impediment to deployment by treating an ongoing conversation as a reason to trust an endpoint, rather than a third-party identification. Although anonymous access is not the primary goal, it is a feature of the solution.

Joe: I respectfully request that you call this something other than "anonymous". It is quite confusing and misleading. Some people have spent quite a bit of time and effort in fact working on anonymous IP and anonymous/pseudonymous transports. For example at ZKS we worked on an anonymous/pseudonymous IP product (which means cryptographically hiding the souce IP address from the end-site). There are some new open source anonymous IP projects. Your proposal, which may indeed have some merit in simplifying key management, has _nothing_ to do with anonymous IP. Your overloading of the established term will dilute the correct meaning. Zooko provided the correct term and provided references: "opportunistic encryption". It sounds to have similar objectives to what John had called opportunistic encryption and tried to do with freeSWAN. Lowever level terms may be unauthenticated as Hal suggested. Or non-certified key management (as the SSH cacheing of previously before seen IP <-> key bindings and warnings when they change).

Although anonymous access is not the primary goal, it is a feature of the solution.

The access is _not_ anonymous. The originator's IP, ISP call traces, phone access records will be all over it and associated audit logs. The distinguishing feature of anonymous is that not only is your name not associated with the connection but there is no PII (personally identifiable information) associated with it or obtainable from logs kept. And to be clear also anonymous means unlinkable anonymous across multiple connections (which SSH type of authentication would not be) and linkable anonymous means some observable linkage exists between sessions which come from the same source (though no PII), and pseudonymous means same as linkable anonymous plus association to a persistent pseudonym. Again there are actually cryptographic protcols for_ having anonymous authentication: ZKPs, multi-show unlinkable credentials, and refreshable (and so unlinkable) single-show credentials. Adam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'