nym-0.2 released (fwd)

Sat Oct 1 15:27:32 PDT 2005

On 9/30/05, Jason Holt <jason at lunkwill.org> wrote:
> http://www.lunkwill.org/src/nym/
> ...
> My proposal for using this to enable tor users to play at Wikipedia is as
> follows:
>
> 1. Install a token server on a public IP.  The token server can optionally
be
> provided Wikipedia's blocked-IP list and refuse to issue tokens to
offending
> IPs.  Tor users use their real IP to obtain a blinded token.
>
> 2. Install a CA as a hidden service.  Tor users use their unblinded tokens
to
> obtain a client certificate, which they install in their browser.
>
> 3. Install a wikipedia-gateway SSL web proxy (optionally also a hidden
service)
> which checks client certs and communicates a client identifier to
MediaWiki,
> which MediaWiki will use in place of the REMOTE_ADDR (client IP address)
for
> connections from the proxy.  When a user misbehaves, Wikipedia admins block
the
> client identifier just as they would have blocked an offending IP address.

All these degrees of indirection look good on paper but are
problematic in practice. Each link in this chain has to trust all the
others. Whether the token server issues tokens freely, or the CA
issues certificates freely, or the gateway proxy creates client
identifiers freely, any of these can destroy the security properties
of the system. Hence it makes sense for all of them to be run by a
single entity. There can of course be multiple independent such
pseudonym services, each with its own policies.

In particular it is not clear that the use of a CA and a client
certificate buys you anything. Why not skip that step and allow the
gateway proxy simply to use tokens as user identifiers? Misbehaving
users get their tokens blacklisted.

There are two problems with providing client identifiers to Wikipedia.
The first is as discussed elsewhere, that making persistent pseudonyms
such as client identifiers (rather than pure certifications of
complaint-freeness) available to end services like Wikipedia hurts
privacy and is vulnerable to future exposure due to the lack of
forward secrecy. The second is that the necessary changes to the
Wikipedia software are probably more extensive than they might sound.
Wikipedia tags each ("anonymous") edit with the IP address from which
it came. This information is displayed on the history page and is used
widely throughout the site. Changing Wikipedia to use some other kind
of identifier is likely to have far-reaching ramifications. Unless you
can provide this "client idenfier" as a sort of virtual IP (fits in 32
bits) which you don't mind being displayed everywhere on the site (see
objection 1), it is going to be expensive to implement on the wiki
side.

The simpler solution is to have the gateway proxy not be a hidden
service but to be a public service on the net which has its own exit
IP addresses. It would be a sort of "virtual ISP" which helps
anonymous users to gain the rights and privileges of the identified,
including putting their reputations at risk if they misbehave. This
solution works out of the box for Wikipedia and other wikis, for blog
comments, and for any other HTTP service which is subject to abuse by
anonymous users. I suggest that you adapt your software to this usage
model, which is more general and probably easier to implement.

CP

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]