At 05:57 AM 4/19/04 -0400, An Metet wrote:

...

Is it possible to have a system where nyms can share reputation without divulging the links between them? That would allow the possibility of eg. publishing as a "new" identity while still having the "weight" of an already established seasoned professional.

Yes, you can do this, but there are some problems.

First, what is a reputation? Reputations are in people's minds. Any nym will have a different reputation with different people. The only way the new nym could have exactly the same reputation with everyone would be for it to be explicitly linked to the old nym, defeating the purpose

of switching.

Reputation requires authentication so you know you're talking to the same endpoint. It is easily implemented with a PK signature. Normally you assume the IP:port at the other end remains the same endpoint, but MITM attacks show that this is an exploitably false assumption. IPSec fixes this. So reputation is not in people's minds, its something that one can construct by signing documents with the same key. A nym is just a token, a string, a handle. You can make it more by making it persistant across sessions (ie, keep using the same RSA key instead of using ephemeral DH or one-time RSA keys to authenticate a single session.); normally folks do this to accrue reputation as well as for convenience. All you need is the same RSA key used above. You can further concretize a nym by associating it with a human subject to Men w/ Guns. But its not necessary, any more than persistant authentication (reputation) is. You can use a throw-away email account, or public key, for each message, thread, clique, etc. -------- In thinking about how to transfer reputation-credits, is the Adversary watching any movement on that 'account'? To use the credits, someone has to talk to a clearing house (to avoid double-spending) unless the reputation was on a physical bearer-gizmo like a secure card. (Cash or other anon Finder's-Keeper's bearer bling are the preferred funds transfer mechanism for identity-change). I don't see how you can transfer an unforgable token without some online activity xor secure physical implementation.