Hello directly from Jimbo at Wikipedia

cypherpunk cyphrpunk at gmail.com
Tue Sep 27 17:25:07 PDT 2005


As an occasional Tor and Wikipedia user, let me add a couple of points.

First, in case it is not obvious, the problem with the present system
is that Tor users can no longer edit on Wikipedia. I have done so in
the past, in what I like to think is a constructive manner, but cannot
do so since this summer. I have valid although perhaps unpopular
contributions to make, and not only is my freedom to express myself
limited, the quality of the material on Wikipedia suffers due to the
absence of my perspective. The status quo is not acceptable and we
should work to find a solution.

Looking at the proposals for authentication servers and such, I see a
major issue which is not being addressed. That is, how does the web
server distinguish "authenticated" Tor users from unathenticated ones?
If this is via a complicated protocol, there is no point as the
servers won't use it.

The hard truth is this: the distinction must be done on the basis of
IP address. That is, there must be a separate set of Tor exit nodes
which are only for authenticated users.

This does not necessarily mean building complex authentication
protocols into the Tor network, and having two classes of traffic
flowing around. It could be that this authenticated Tor is a separate
network. It only lets users in who are authenticated, and owns a
specific set of IP addresses which servers can whitelist. The regular
Tor exit nodes can be blacklisted as they are now.

The technical problem is then, how to achieve as much anonymity as
possible in the authenticated network, while still providing the abuse
prevention services which Wikipedia and other servers will require in
order to whitelist the nodes.

What does Wikipedia need? What is the minimum level of service they
require? Presumably, it is similar to what they can get via ISPs, who
also map many users to a fixed set of IP addresses. Wikipedia can
complain to the ISP, and it will get back in some form to that user.

Of course, Wikipedia does not know the details of how their complaint
is handled. Is the user kicked off, banned temporarily, or merely
given a stern warning? What matters to them is that, generally, users
that they complain about don't keep coming back. Their complaints are
effective, at least much or most of the time. This is the level of
response which an authenticated Tor network would have to provide.

The problem with this functionality from Tor's perspective is that
unlike an ISP, Tor does not have knowledge of the mapping from users
to IP addresses. Given a complaint that a certain IP was misused at a
certain time, Tor has no information about which user to penalize.

To solve the problem we would need to use some cryptographic
mechanism. Let authenticated users gain credentials via some
expensive, slow process. Let them embed the credentials in their
messages such that they are revealed in some blinded form to the exit
node. Let the exit nodes remember the credentials which were used at
different times. When valid complaints arrive, let the exit nodes
blacklist the credential which was in use at that time. This stops the
abuser.

There could be many such authenticated-Tor subnetworks. Each could
have its own credential servers, its own abuse policies, and its own
set of exit IP addresses. They would be like anonymous ISPs, from the
POV of web server operators like Wikipedia. Those which are
effectively able to suppress abuse will avoid blacklists and their
users will be able to successfully use web based services.

CP

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]





More information about the cypherpunks-legacy mailing list