As an occasional Tor and Wikipedia user, let me add a couple of points. First, in case it is not obvious, the problem with the present system is that Tor users can no longer edit on Wikipedia. I have done so in the past, in what I like to think is a constructive manner, but cannot do so since this summer. I have valid although perhaps unpopular contributions to make, and not only is my freedom to express myself limited, the quality of the material on Wikipedia suffers due to the absence of my perspective. The status quo is not acceptable and we should work to find a solution. Looking at the proposals for authentication servers and such, I see a major issue which is not being addressed. That is, how does the web server distinguish "authenticated" Tor users from unathenticated ones? If this is via a complicated protocol, there is no point as the servers won't use it. The hard truth is this: the distinction must be done on the basis of IP address. That is, there must be a separate set of Tor exit nodes which are only for authenticated users. This does not necessarily mean building complex authentication protocols into the Tor network, and having two classes of traffic flowing around. It could be that this authenticated Tor is a separate network. It only lets users in who are authenticated, and owns a specific set of IP addresses which servers can whitelist. The regular Tor exit nodes can be blacklisted as they are now. The technical problem is then, how to achieve as much anonymity as possible in the authenticated network, while still providing the abuse prevention services which Wikipedia and other servers will require in order to whitelist the nodes. What does Wikipedia need? What is the minimum level of service they require? Presumably, it is similar to what they can get via ISPs, who also map many users to a fixed set of IP addresses. Wikipedia can complain to the ISP, and it will get back in some form to that user. Of course, Wikipedia does not know the details of how their complaint is handled. Is the user kicked off, banned temporarily, or merely given a stern warning? What matters to them is that, generally, users that they complain about don't keep coming back. Their complaints are effective, at least much or most of the time. This is the level of response which an authenticated Tor network would have to provide. The problem with this functionality from Tor's perspective is that unlike an ISP, Tor does not have knowledge of the mapping from users to IP addresses. Given a complaint that a certain IP was misused at a certain time, Tor has no information about which user to penalize. To solve the problem we would need to use some cryptographic mechanism. Let authenticated users gain credentials via some expensive, slow process. Let them embed the credentials in their messages such that they are revealed in some blinded form to the exit node. Let the exit nodes remember the credentials which were used at different times. When valid complaints arrive, let the exit nodes blacklist the credential which was in use at that time. This stops the abuser. There could be many such authenticated-Tor subnetworks. Each could have its own credential servers, its own abuse policies, and its own set of exit IP addresses. They would be like anonymous ISPs, from the POV of web server operators like Wikipedia. Those which are effectively able to suppress abuse will avoid blacklists and their users will be able to successfully use web based services. CP ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]