Thinking about something, I found an interesting problem. It is possible to set up a reputation-based system with nyms, where every nym is an identity with attached reputation.

Is it possible to have a system where nyms can share reputation without divulging the links between them? That would allow the possibility of eg. publishing as a "new" identity while still having the "weight" of an already established seasoned professional.

Yes, you can do this, but there are some problems. First, what is a reputation? Reputations are in people's minds. Any nym will have a different reputation with different people. The only way the new nym could have exactly the same reputation with everyone would be for it to be explicitly linked to the old nym, defeating the purpose of switching. Therefore the new nym's reputation will have to be a simple subset of the reputation of the old nym, in order that many nyms will have equal reputation and the new one won't be linked. This suggests a simple boolean ranking where one or more respected figures can give their endorsement to a nym, and then the new nym can start up and say that it is endorsed by so-and-so. As long as that person gave out quite a few endorsements then there will not be too much linkage to the old nym. As someone mentioned, this is the problem which is solved by cryptographic credentials, like those of Chaum or Brands. The "reputation judge" gives out an endorsement credential to those nyms he deems worthy; then through various cryptographic techniques these credentials can be shown by the new nyms. A simple version of this would be to use the same Chaum blind signatures that are used for ecash. When the reputation judge gives out the credential, in addition to signing the nym, he also issues a blind signature on a blinded identity offered by the nym owner. The judge can't see what nym he is signing, but later that nym can show that its identity is signed by the reputation judge. Brands credentials basically work this same way. A problem with this is that only one new nym gets endorsed, so the holder can only switch identities once. To fix this, the judge could issue several blind signatures, say about 5, which would accommodate that many identity switches. An even simpler approach would be for the reputation judge to create a common public key to be used as a signing key by everyone he endorses. When he endorses someone he reveals to them, privately, the secret key used to sign with the common public key. Then all nyms who have received the endorsement can sign with the common key in addition to their own. When the nym switches identities he still knows the common signing key and can sign with it along with the new nym. The problem with this class of systems is that if anyone leaks the common private key, then the security of the endorsement is lost and anyone can pretend to be endorsed. A similar flaw with the previous proposal is that if someone gets several blind endorsements, they might give some away or sell some, and the new buyers might misuse them, cheapening the value of the endorsement. Yet another method, good if there aren't more than a dozen or so nyms which are endorsed, is to use a ring or group signature. The reputation judge publishes a list of keys that he endorses, and then anyone on the list can make a signature which can be verified as coming from one of the keys, but there is no way to tell which one made it. This has a security problem similar with the 2nd approach, that someone on the list could secretly give away his private key to other people, and they could sign bad messages, with no way to tell which person on the list created them. The reputation judge could address this by withdrawing his endorsement of the last few list members, and seeing if the problem goes away, but it would be a complicated and messy situation.