Hal Finney (I think) writes,
the net is inherently an anonymous environment. ...The sooner people realize that there is no line that divides the clean from the unclean, the sooner anonymity will be widely accepted on the net.
But there _is_ a line, and people will likely want to draw it. It's true that currently there aren't any security guarantees to prevent a person from pretending to be someone else, but there will be. PEM certificates will distinguish between real people and personas. A public-key-authenticated "real person newsgroup" can be implemented. This raises the possibility that most newsgroups will transition to real-person-only status. This will cramp the style of those of us who wish to participate in the net using a persona. I think a major task ahead of us is to provide an alternative to "real people = good, personas = bad", and to put forward alternatives to "real person newsgroups" which are tolerable to most and more palatable to us. So what's the distinction we might wish to put forward instead of "real person"? "Paying customer", perhaps, or "respected reputation"? Yeah, that sounds good. Maybe it's time to set up some reputation based newsgroups, with a means of keeping track of who has been posting good stuff, and of filtering for credibility. -- Marc Ringuette (mnr@cs.cmu.edu)
Marc Ringuette writes:
PEM certificates will distinguish between real people and personas. A public-key-authenticated "real person newsgroup" can be implemented.
I am opposed to "is-a-person" credentials, especially of the type "is-this-specific-person". The knowledge of personal identity is in most cases not salient. We are in danger of creating a system similar to the SSN fiasco, where a public identity is now not only a number but a cryptographically protected one. When such a system exists, there will be strong pressures to use it for other purposes, just as there are with SSN's. In short, do not support the PEM certification hierarchy in any way. If you are in a corporate position with the power to make this decision, nix it. If you are an individual, do not get or use these certificates. Do not even get persona certificates; it strengthens the person identification system by its negative.
I think a major task ahead of us is to provide an alternative to "real people = good, personas = bad", and to put forward alternatives to "real person newsgroups" which are tolerable to most and more palatable to us.
Newsgroups could be the first structure to require identity, and they wouldn't be the last. We need alternatives before authentication to real people becomes prevalent. I fully agree that the creation of better structures is pressing on us. I would prefer to be the default and make PEM "the alternative".
So what's the distinction we might wish to put forward instead of "real person"? "Paying customer", perhaps, or "respected reputation"?
The simplest replacement for "real person" is "public key." Carl Ellison argues mightily and well for this, and has for several years. By going to just public key, you can support other models and retain continuity of conversation, where that is desired.
Yeah, that sounds good. Maybe it's time to set up some reputation based newsgroups, with a means of keeping track of who has been posting good stuff, and of filtering for credibility.
We need to set up some replacement for the existing fora. Here are some of the characteristics I've thought about: 1. Eliminate the default behavior to transmit everything received. On both mailing lists and newsgroups, everthing anybody wants to say to is sent to the whole group. There are two common restrictions on this. One is closed mailing lists, where the same default transmission occurs but is a closed group. That group can get large, however, and manifest all the probelms of an open group. The other is to use a moderator, or more accurately an approver, to pre-read all the material before transmission. So default transmission has to go. What will replace it? Whatever it is, it must have the characteristic that there will be posts that will not be sent to everybody when they first arrive. Simple, but this is an extremely important characteristic of any future forum. I think the origin of this behavior lies in the UUCP origins of newsgroups, where interactive use was difficult and expensive, and where mail delivery turnaround times were measured in days. Back then, it actually was better to do default transmission, especially in a fairly homogenous environment where most people got along OK. 2. For bootstrapping purposes, default transmission must be supported to some subset of the member of the forum. This seems to directly conflict the point made above. Default transmission must be supported to some, but can't be to all. If you require that anybody who wants to use this new forum install "work-in-progress" software in order to participate, you'll cut out most of your participants. Now people won't participate unless there's some content to the forum, and that will have to be provided by more than just the users of the new software. 2a. Corollary: A "lurker-only" mode must always be supported. There will always be those who just want to listen who are not expected to otherwise participate. A lurker mode, by its nature, will be default transmission, but not of the whole discussion, perhaps. 3. The social relations among individuals must not have any assymetry enforced by the software. A moderator, for example, is in a different position than any other list participant. That means that all people must be able to participate in deciding what they want to read and what they want to say about what they've read. 4. The development of social assymetries must not be prevented by the software. Some people will want to ignore others and want to listen only to others. When these preferences become commonplace, there are optimizations that can take place which create assymetries, for example, by doing transmissions to lurkers based on the ratings of the most respected group members. 5. Since people must base their decisions on something other than the content of the postings themselves, and since meta-traffic about postings shouldn't completely overwhelm the forum itself, it is desirable that ratings be specified in some contrained grammar, preferably very small and machine-parsable. 6. There must exist a mechanism for ensuring that the aggregate rating information is not unbounded. This is a subtle point which I illustrate with an analogue: in an adventure game, there must be some limit on the total amount of money. If voting is completely unconstrained, you quickly get vote inflation and the devaluation of an individual's opinion. If I can vote one hundred times for myself, something's wrong. Therefore I suggest that opinion votes be issued similarly to money. Each person voting gets to withdraw one "permission to publish an opinion" per message, withdrawn by a blind signature, and then gets to use it however they want. They can cast it themselves, or give it someone else to cast by proxy. (Note that a blind signature is an interactive protocol.) You want a blind signature to avoid the trap of revealing privacy information by default. If someone wants to say what they thought, they are, of course, free to do so. 7. Participants should have the ability to distinguish between blind votes and public votes. People should have the option of ignoring the "prevailing wisdom," especially when that prevailing wisdom tends to crush minority opinions. 8. The rating system should be separable from the transmission system. This is to allow multiple rating systems to emerge. A rating collective built on top of a mailing list, for example, could get a full feed of all posts, but not transmit all of them to all of its members. 9. Someone is going to have to look at the really awful stuff in order to rate it negatively. "I just don't want it to be me." Many will say this, no doubt. That's all for now. Eric
participants (2)
-
Eric Hughes -
Marc.Ringuette@GS80.SP.CS.CMU.EDU