Re: Moving beyond "Reputation"--the Market View of Reality
Following which, Alice pulls out the pre-dated revocation certificate, and generates confusion as to the validity of Bob's key change message. Duh, indeed. Adam On Fri, Nov 30, 2001 at 01:34:53PM -0500, Sunder wrote: | Simple. Once the buyer has the keys she issues an email saying "I'm | changing my keys, here's the new public key" and signs it with the old key | - thus proving that the nym's original message was valid, thus | invalidating the old one. Duh! | | | ----------------------Kaos-Keraunos-Kybernetos--------------------------- | + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ | \|/ :aren't security. A |share them, you don't hang them on your/\|/\ | <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ | /|\ :masked killer, but |don't email them, or put them on a web \|/ | + v + :will violate privacy|site, and you must change them very often. | --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ | | On Fri, 30 Nov 2001, Adam Shostack wrote: | | > On Fri, Nov 30, 2001 at 12:14:13PM -0800, Wei Dai wrote: | > | On Thu, Nov 29, 2001 at 07:53:02PM -0800, georgemw@speakeasy.net wrote: | > | > Even this is not a scalar. Since reputation cannot be bought | > | > and sold, the idea that it is worth a specific well defined amount is | > | > false. | > | | > | If you own a nym, you can easily sell its reputation. Just give the | > | private key to the buyer. | > | > How does the buyer ensure that I haven't kept a copy? If what I'm | > selling is a nym, then without the nym, I am anonymous. Adding layers | > of nymity for reputation with partial disclosure seems a complex and | > failure-prone approach. | > | > Adam | > | > -- | > "It is seldom that liberty of any kind is lost all at once." | > -Hume -- "It is seldom that liberty of any kind is lost all at once." -Hume
Following which the buyer posts all the signed emails between self and seller detailing the fraudulent transaction. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ \|/ :aren't security. A |share them, you don't hang them on your/\|/\ <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ /|\ :masked killer, but |don't email them, or put them on a web \|/ + v + :will violate privacy|site, and you must change them very often. --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ On Fri, 30 Nov 2001, Adam Shostack wrote:
Following which, Alice pulls out the pre-dated revocation certificate, and generates confusion as to the validity of Bob's key change message.
Duh, indeed.
Adam
On Fri, Nov 30, 2001 at 01:34:53PM -0500, Sunder wrote: | Simple. Once the buyer has the keys she issues an email saying "I'm | changing my keys, here's the new public key" and signs it with the old key | - thus proving that the nym's original message was valid, thus | invalidating the old one. Duh! | | | ----------------------Kaos-Keraunos-Kybernetos--------------------------- | + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\ | \|/ :aren't security. A |share them, you don't hang them on your/\|/\ | <--*-->:camera won't stop a |monitor, or under your keyboard, you \/|\/ | /|\ :masked killer, but |don't email them, or put them on a web \|/ | + v + :will violate privacy|site, and you must change them very often. | --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ | | On Fri, 30 Nov 2001, Adam Shostack wrote: | | > On Fri, Nov 30, 2001 at 12:14:13PM -0800, Wei Dai wrote: | > | On Thu, Nov 29, 2001 at 07:53:02PM -0800, georgemw@speakeasy.net wrote: | > | > Even this is not a scalar. Since reputation cannot be bought | > | > and sold, the idea that it is worth a specific well defined amount is | > | > false. | > | | > | If you own a nym, you can easily sell its reputation. Just give the | > | private key to the buyer. | > | > How does the buyer ensure that I haven't kept a copy? If what I'm | > selling is a nym, then without the nym, I am anonymous. Adding layers | > of nymity for reputation with partial disclosure seems a complex and | > failure-prone approach. | > | > Adam | > | > -- | > "It is seldom that liberty of any kind is lost all at once." | > -Hume
-- "It is seldom that liberty of any kind is lost all at once." -Hume
On Fri, Nov 30, 2001 at 04:28:58PM -0500, Adam Shostack wrote:
Following which, Alice pulls out the pre-dated revocation certificate, and generates confusion as to the validity of Bob's key change message.
I guess we would need a distributed public registry of key change/revocation messages that guarantees only one such message will be posted per key, and any revocation messages not posted to this registry would be ignored. Again, I don't think reputation capital is the best solution to the problem that it tries to solve. I'm just trying to defend it against the charge that it's a nonsensical idea. I still propose b-money as a better alternative. Maybe Tim has found an even better solution, and if so I certainly look forward to seeing it.
On Friday, November 30, 2001, at 01:56 PM, Wei Dai wrote:
On Fri, Nov 30, 2001 at 04:28:58PM -0500, Adam Shostack wrote:
Following which, Alice pulls out the pre-dated revocation certificate, and generates confusion as to the validity of Bob's key change message.
I guess we would need a distributed public registry of key change/revocation messages that guarantees only one such message will be posted per key, and any revocation messages not posted to this registry would be ignored.
Again, I don't think reputation capital is the best solution to the problem that it tries to solve. I'm just trying to defend it against the charge that it's a nonsensical idea. I still propose b-money as a better alternative. Maybe Tim has found an even better solution, and if so I certainly look forward to seeing it.
I'm writing a response to your long reply to my long article. (You hadn't responded to my article for some number of days after it appeared, which is fine, but that's why I haven't felt pressured to reply immediately to your reply.) I'll try to get it out later today or tomorrow. But so there's no suspense, I'm not claiming a better cryptographic protocol, certainly not involving distributed key registries for nym reputations. It's that whole approach I'm arguing against. Which I think I argued for reasonably well in the long post. If you or others are not convinced, fine. But I will send off the reply on specific points later, tonight or tomorrow. --Tim May "Dogs can't conceive of a group of cats without an alpha cat." --David Honig, on the Cypherpunks list, 2001-11
very good
p.j
----- Original Message -----
From: Tim May
On Friday, November 30, 2001, at 01:56 PM, Wei Dai wrote:
On Fri, Nov 30, 2001 at 04:28:58PM -0500, Adam Shostack wrote:
Following which, Alice pulls out the pre-dated revocation certificate, and generates confusion as to the validity of Bob's key change message.
I guess we would need a distributed public registry of key change/revocation messages that guarantees only one such message will be posted per key, and any revocation messages not posted to this registry would be ignored.
Again, I don't think reputation capital is the best solution to the problem that it tries to solve. I'm just trying to defend it against the charge that it's a nonsensical idea. I still propose b-money as a better alternative. Maybe Tim has found an even better solution, and if so I certainly look forward to seeing it.
I'm writing a response to your long reply to my long article.
(You hadn't responded to my article for some number of days after it appeared, which is fine, but that's why I haven't felt pressured to reply immediately to your reply.)
I'll try to get it out later today or tomorrow.
But so there's no suspense, I'm not claiming a better cryptographic protocol, certainly not involving distributed key registries for nym reputations. It's that whole approach I'm arguing against.
Which I think I argued for reasonably well in the long post. If you or others are not convinced, fine. But I will send off the reply on specific points later, tonight or tomorrow.
--Tim May "Dogs can't conceive of a group of cats without an alpha cat." --David Honig, on the Cypherpunks list, 2001-11
On 30 Nov 2001, at 13:56, Wei Dai wrote:
On Fri, Nov 30, 2001 at 04:28:58PM -0500, Adam Shostack wrote:
Following which, Alice pulls out the pre-dated revocation certificate, and generates confusion as to the validity of Bob's key change message.
I guess we would need a distributed public registry of key change/revocation messages that guarantees only one such message will be posted per key, and any revocation messages not posted to this registry would be ignored.
This assumes that you want it to be possible to buy and sell reputation capital, and that people will accept bought reputation as valid, propositions that I think are contrary to fact. That is, if (purely hypothetically) I believed "Wei Dai" was the most intelligent, informed, and creative poster I had ever seen, and I learned that "Wei Dai" had sold his name to some unknown third party, I would consider any impressions I had about "Wei Dai" to be instantly invalidated (since there's no particular reason to believe they'd apply to the new nym owner), and the name would become worthless (in my eyes) regardless of how much the new owner paid for it. I'll take that a step further: the possibility that nyms might me surreptitiously bought and sold is a critical weakness of any sort of nym reputation system, and a system designed to facilitate this kind of fraud is system in which only a fool would put any confidence in any reputation.
Again, I don't think reputation capital is the best solution to the problem that it tries to solve. I'm just trying to defend it against the charge that it's a nonsensical idea. I still propose b-money as a better alternative. Maybe Tim has found an even better solution, and if so I certainly look forward to seeing it.
I don't think anyone claims that the whole idea is nonsense, just that it's a mistake to view it as a singel real number. Maybe a 3x3 matrix would be better? George
I think you'd want to have a regular public key change, where the user creates a new public key, signs it with their old key. This way key change does not suggest possible ownership change. Then to effect a nym transfer, the new public key is instead chosen by the new owner, and the old owner signs it. This still leaves the problem of the old nym revealing a previously unpublished identity revocation, or simply some signed statements which are damaging to the nyms reputation. Some ideas on this: - introduce a time-stamping service for certification signatures only (explicitly not for documents) - re-define valid certificate signatures to be signatures made on public key and identity pairs within the validity period of a key - publish signature private keys after expiry. Now anyone can create nym revocation with old keys, and so no reputational damage can be done by the old owner with nym revocations. The time-stamper will not assist in signing arbitrary documents, and so the old nym owner can not use it to prove a document was signed during the validity period of the key. (Were it signed after the validity period it would anyway not be considered a valid signature). Where general document signing time-stamping is used, to prevent post-sale nym reputation suicide, the new owner could demand all past signed messages and verify them against the merkle hash tree master hash maintained by the time-stamper, and vet the messages as not damaging to the nyms reputation. For private encrypted messages the nym would not like to share, even after nym sale, a non-transferable signature scheme could be used, with the time-stamper having a separate hash-tree for such signatures. The new owner would be somewhat assured that the old owner could not have any signatures that he can both prove the time of authorship of and transfer. The availability of third party time-stamping services, and other simple methods of dating documents (pre-published hash, 3rd party vouching for time of authorship) limits the assurances provided by the above approaches. Another avenue might be designated verifier signatures where the signature sheme necessarily requires collaboration of a verifier, and the verifier will take instructions from the current owner. Or better where only the current owner in collaboration with the designated verifier can assist a user in verifying a signature. (eg using pro-active security to re-split the key on nym sale so the old owner isn't able to collaborate in verification). In this way the new owner gets to vet which signatures the public can verify. Adam On Fri, Nov 30, 2001 at 01:56:52PM -0800, Wei Dai wrote:
On Fri, Nov 30, 2001 at 04:28:58PM -0500, Adam Shostack wrote:
Following which, Alice pulls out the pre-dated revocation certificate, and generates confusion as to the validity of Bob's key change message.
I guess we would need a distributed public registry of key change/revocation messages that guarantees only one such message will be posted per key, and any revocation messages not posted to this registry would be ignored.
Again, I don't think reputation capital is the best solution to the problem that it tries to solve. I'm just trying to defend it against the charge that it's a nonsensical idea. I still propose b-money as a better alternative. Maybe Tim has found an even better solution, and if so I certainly look forward to seeing it.
participants (7)
-
Adam Back -
Adam Shostack -
comsec os -
georgemw@speakeasy.net -
Sunder -
Tim May -
Wei Dai