Re: exporting signatures only/CAPI (was Re: Why not PGP?)
Steve Shear <azur@netcom.com> writes:
The problem however, is finding a non-US site to hold the hot potato once it has been exported. For example 128 bit Netscape beta was exported a while ago. I don't see it on any non-US sites. This is due to Netscape's licensing requirements, you need a license to be a netscape distribution site, the license doesn't include the right to mirror non-exportable versions on non-US sites.
That's one good application for remailers, and .warez newsgroups. at.
I don't know of any advertised files by email services using nym servers, where the file request, and the files are both sent via remailers.
The problem with this is currently is that the nym servers couldn't stand up to the scrutiny if SPA or whoever got interested. The message flood attack on the nym would reveal the services host.
The BlackNet architecture solves this problem by posting requests encrypted with the services key to a newsgroup, but USENET newsgroup disitribution time is slow (*), and people are spoilt these days with WWW, and expect results now, not days later.
Has anyone tried this to see whether the LOS would or wouldn't be acceptable?
The requested file can be posted via mixmaster. You would want to use a different, random chain of remailers each time. A reverse message flood could reveal the host also, as you can request lots of copies, and the service will blindly serve the files. (If someone wants to discover the service host, they send 1000s of requests, then sit back and watch which user sends most data into the remailer net.)
On a related note: I've been charged with developing an Internet service which needs to assure its clients of anonymity. However, we fear some clients may abuse the service and we wish to prevent the abusers from re-enrollment if terminated for misbehavior. (In your example, it would be the person(s) trying to discover the service host via flood). My thought was to base enrollment on some sort of 'blinding' of their certified signature (e.g., from Verisign) which produces a unique result for each signature but prevents the service from reconstructing the signature itself (and thereby reveal the client's identity). I'm calling this negative authentication. Have you come across anyone who has considered this problem or another one which is mathematically very similar?
To combat this the service could impose a limit on the number of copies it would serve per day. This allows a denial of service attack, if someone wants to stop anyone else getting a copy, they just saturate the service. Still an improvement over no limit.
If the service could negatively authenticate users it would need such limits and might not be subject to such attack.
Of course Ross Anderson's `eternity service' provides the general case solution for distribution of such data. It is complex to implement well though.
I've never heard of the eternity service. Where can I get more information? BTW, would Eric Hughes' Universal Piracy System also solve such a situation, by distributing or parking snippets of encrypted file data across many 'cooperating' ftp (or whatever access/storage mechanism) sites. Perhaps the negative authentication approach would help here too by preventing flood/denial of service attacks against the 'key' sites. If only snippets of encrypted data are stored on any one host it might make the SPA's goal even more elusive legally. PGP Fingerprint: FE 90 1A 95 9D EA 8D 61 81 2E CC A9 A4 4A FB A9 --------------------------------------------------------------------- Snoop Daty Data | Internet: azur@netcom.com Grinder | Sacred Cow Meat Co. | --------------------------------------------------------------------- Counter-cultural technology development our specialty. Vote Libertarian. Just say NO to prescription DRUGS. "Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive." -- C.S. Lewis "Surveillence is ultimately just another form of media, and thus, potential entertainment." -- G. Beato
Steve Schear wrote: | I've been charged with developing an Internet service which needs to assure | its clients of anonymity. However, we fear some clients may abuse the | service and we wish to prevent the abusers from re-enrollment if | terminated for misbehavior. (In your example, it would be the person(s) | trying to discover the service host via flood). Why not have a high sign up fee or deposit? Let people play games, and pay for it. Trying to build morality into a crypto system is tough. Its easier to move the costs up front. Let those who want to pay the deposit fee repeatedly do so. Think of it as a tax refund. :) Adam -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org
[cc'd to coderpunks] On Sun, 13 Oct 1996, Steve Schear wrote:
Steve Shear <azur@netcom.com> writes:
[much cut]
I've been charged with developing an Internet service which needs to assure its clients of anonymity. However, we fear some clients may abuse the service and we wish to prevent the abusers from re-enrollment if terminated for misbehavior. (In your example, it would be the person(s) trying to discover the service host via flood).
My thought was to base enrollment on some sort of 'blinding' of their certified signature (e.g., from Verisign) which produces a unique result for each signature but prevents the service from reconstructing the signature itself (and thereby reveal the client's identity). I'm calling this negative authentication.
Have you come across anyone who has considered this problem or another one which is mathematically very similar?
Stefan Brands has a protocol that probably does what you want. And also would form the basis for anonymous internet "postage stamps"... It is unpublished, but he kindly allowed to me describe it in a paper I wrote that discussed whether a bank would ever want to take the risk of allowing bank accounts where it did not know the identity of the customer. The protocol is described at http://www.law.miami.edu/~froomkin/articles/oceanno.htm#ENDNOTE286 [A frames version of the same paper is at http://www.law.miami.edu/~froomkin/articles/ocean.htm but it's harder to jump straight to the footnote you want in that version] **Benjamin Bradley Froomkin, b. Sept. 13, 1996, 8 lbs 14.5oz 21.5"** **Age two weeks: 9 lbs 12 oz, 23"** A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here.
Steve Schear <azur@netcom.com> writes:
On a related note:
I've been charged with developing an Internet service which needs to assure its clients of anonymity. However, we fear some clients may abuse the service and we wish to prevent the abusers from re-enrollment if terminated for misbehavior. (In your example, it would be the person(s) trying to discover the service host via flood).
Chaum's DC net solves flood problems. However it itself has high bandwidth requirements. Also you need to do something about denial of service attacks. There are algorithms to detect disrupters.
Of course Ross Anderson's `eternity service' provides the general case solution for distribution of such data. It is complex to implement well though.
I've never heard of the eternity service. Where can I get more information?
Ross Andersion's www page is: http://www.cl.cam.ac.uk/~rja14/ he has a collection of postscript files for published and to be published papers, eternity service is one of them. You might find Matt Blaze's netescrow interesting also, and related: ftp://ftp.research.att.com/dist/mab/netescrow.ps
BTW, would Eric Hughes' Universal Piracy System also solve such a situation, by distributing or parking snippets of encrypted file data across many 'cooperating' ftp (or whatever access/storage mechanism) sites.
Sounds similar to eternity. It involves splitting the data over many sites in many jurisdictions. Is a UPS description available on www?
Perhaps the negative authentication approach would help here too by preventing flood/denial of service attacks against the 'key' sites. If only snippets of encrypted data are stored on any one host it might make the SPA's goal even more elusive legally.
Eternities approach is to place sites in different jurisdictions, and to arrange so that the sites themselves don't know what data the parts of which they are serving. (Removes the knowledge of what is being distributed, which seems to be an element of the legal concept of contributory infringement, as explained by Greg Broiles). Adam -- print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
At 16:28 -0400 10/13/96, Michael Froomkin - U.Miami School of Law wrote:
[cc'd to coderpunks]
On Sun, 13 Oct 1996, Steve Schear wrote:
Steve Shear <azur@netcom.com> writes:
[much cut]
I've been charged with developing an Internet service which needs to assure its clients of anonymity. However, we fear some clients may abuse the service and we wish to prevent the abusers from re-enrollment if terminated for misbehavior. (In your example, it would be the person(s) trying to discover the service host via flood).
My thought was to base enrollment on some sort of 'blinding' of their certified signature (e.g., from Verisign) which produces a unique result for each signature but prevents the service from reconstructing the signature itself (and thereby reveal the client's identity). I'm calling this negative authentication.
Have you come across anyone who has considered this problem or another one which is mathematically very similar?
The mistake is to think of using ID certificates (like those from Verisign) in the first place. They don't mean anything. You want an authorization certificate, such as produced by SPKI. You need to know what a key is authorized to do, not what name is associated with the key. Check out http://www.clark.net/pub/cme/spki.txt and http://theory.lcs.mit.edu/~rivest/publications.html in the SDSI section. - Carl +------------------------------------------------------------------------+ |Carl M. Ellison cme@acm.org http://www.clark.net/pub/cme | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2| | "Officer, officer, arrest that man! He's whistling a dirty song." | +-------------------------------------------- Jean Ellison (aka Mother) -+
participants (5)
-
Adam Back -
Adam Shostack -
azur@netcom.com -
Carl Ellison -
Michael Froomkin - U.Miami School of Law