Some points of clarification that I hope will help: (1) On anonymity and authentication/pseudonymity/etc. All versions of Onion Routing, including Tor, were designed to separate identification from routing. The slogan way that I have put this for the last five or six years is: Onion Routing is about anonymizing the communication pipe, not what goes through it. The devil's always in the details, but as one-line summaries go, I think that sums it up pretty well.{1} (2) On various pseudonym authentication or anonym authentication{2}, etc. approaches to solving the problem at hand. Some of this is ultimately necessary for various applications, especially once the Internet looks as Geoff described it. (In fact I think it's one precondition to realizing anything like that vision.) But I'm dubious about any of those proposed to date here providing enough friction to identifier acquisition to deter abusers but not honest users in this context. They may be worth trying. Roger's suggestion about the temporary IP blocks and Steven's about the separate puzzle servers come to mind, probably some others I'm forgetting just now. But as Roger says, somebody's gotta code them up---and probably much more work---deploy them, maintain them, and evaluate their effectiveness, all on the Tor-Wikipedia frontier. I suspect that the abuser who goes postal as Jimmy described is willing to waste lots of time acquiring IDs, but perhaps stereotypes about attention span are close enough to true for some of the proposals to be effective. I had my own proposal that doesn't rely on any of this, and that could be implemented and deployed in a few days (OK after spending at least a few months or so thinking about the design, the engineering, and the implications.) In the spirit of mutt: All these ideas suck; I just think that one sucks a little less. ------------------------------------------------------------- {1} Some further specifics for (1) Anonymity and identification/authentication can be entirely compatible. By this I mean that one can be anonymous (to everyone) as far as one identifier goes but authenticated (to a specific protocol principal) wrt another as part of the same communication. This has been an intentional part of the design of every Onion Routing system including Tor. It contrasts with systems like Crowds, which was directed at distinct but related security properties, thus they made anonymity of the circuit inherently depend on the anonymity of the data passing over it. As a specific example of using Tor for authenticated communication over anonymous circuits, when travelling I often need to log back into NRL to check mail and do other things. I do this via ssh over Tor. That way the local hotel staff, ISP staff, any other network observers don't see me logging in to NRL. But I can assure you that I want to make sure I am going to NRL and no place else and that I want to make sure only I, and no one else, succeeds in accessing my account. (And Jimbo, in my experience, it has been realtime enough to be editing in vi or emacs with no noticeable trouble over this line. I can't say that someone who expects permanent T1 rate downloading is going to be happy with Tor, but you should check it out and see the performance for yourself over a few days, rather than relying on the reports you've heard.) I also discussed this in my testimony to the National Academy of Engineering panel that did a study of authentication and privacy several years ago. (Cf. _Who Goes There? Authentication Through the Lens of Privacy_ from the National Academies Press.) As many have noted, Tor has enough of a job trying to do one thing well. Trying to do more things will just mean it does that thing less well or later. But that does not preclude designing to be compatible with other things, e.g., privoxy to somewhat sanitize, i.e., anonymize web traffic over Tor, or connect to enable authenticated communication via ssh over Tor. (There's a program named `connect' in case you had trouble parsing that.) The discussion now is how to make Tor and Wikipedia compatible, the interface as Nick put it. {2} Yes you can authenticate someone who is anonymous from you. Besides various group signature approaches, cf., e.g., my papers on UST (Unlinkable Serial Transactions), or look at the proposal for common terminology (new version recently out) at http://dud.inf.tu-dresden.de/Anon_Terminology.shtml What we called an `anonym' in the UST work and elsewhere they call a `transaction pseudonym'. ------------------------------------------------------------- ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
participants (1)
-
Paul Syverson