Pseudonymity for tor: nym-0.1 (fwd)

Jason Holt jason at lunkwill.org
Thu Sep 29 16:32:48 PDT 2005 


---------- Forwarded message ----------
Date: Thu, 29 Sep 2005 23:32:24 +0000 (UTC)
From: Jason Holt <jason at lunkwill.org>
To: Ian G <iang at systemics.com>
Cc: cryptography at metzdowd.com
Subject: Re: Pseudonymity for tor: nym-0.1 (fwd)


On Thu, 29 Sep 2005, Ian G wrote:
>Couple of points of clarification - you mean here
>CA as certificate authority?  Normally I've seen
>"Mint" as the term of art for the "center" in a
>blinded token issuing system, and I'm wondering
>what the relationship here is ... is this something
>in the 1990 paper?

Actually, it was just the closest paper at hand for what I was trying to do,
which is "nymous accounts", just as you say.  So I probably shouldn't have
referred to "spending" at all.

My thinking is that if all Wikipedia is trying to do is enforce a low
barrier of pseudonymity (where we can shut off access to persons, based on a
rough assumption of scarce IPs or email addresses), a trivial blind
signature system should be easy to implement.  No certs, no roles, no CRLs,
just a simple blindly issued token.  And in fact it took me about 4 hours
(while the conversation on or-talk has been going on for several days...)

There are two problems with what I wrote. First, the original system is
intended for cash instead of pseudonymity, and thus leaves the spender a
disincentive to duplicate other serial numbers (since you'd just be accused
of double spending); this is a problem since if an attacker sees you use
your token, he can get the same token signed for himself and besmirch your
nym. And second, it would be a pain to glue my scripts into an existing
authentication system.

Both problems are overcome if, instead of a random token, the client blinds
the hash of an X.509 client cert.  Then the returned signature gives you a
complete client cert you can plug into your web browser (and which web
servers can easily demand).  Of course, you can put anything you want in the
cert, since the servers know that my CA only certifies 1 bit of data about
users (namely, that they only get one cert per scarce resource).  But the
public key (and verification mechanisms built in to TLS) keeps abusers from
being able to pretend they're other users, since they won't have the users'
private keys.

<rant>
The frustrating part about this is the same reason why I'm getting out of
the credential research business.  People have solved this problem before
(although I didn't know of any Free solutions; ADDS and SOX are hard to
google -- are they Free?).  I even came up with at least a proof of concept
in an afternoon. And yet the argument on the list went on and on, /without
even an acknowledgement of my solution/.  Everybody just kept debating the
definitions of anonymity and identity, and accusing each other of anarchy
and tyranny.  We go round and round when we talk about authentication
systems, but never get off the merry-go-round.

Contrast that with Debevec's work at Berkeley; Ph.D in 1996 on "virtual
cinematography", then The Matrix comes out in 1999 using his techniques and
revolutionizes action movies.  Sure, graphics is easier because it doesn't
require everyone to agree on an /infrastructure/, but then, neither does the
tor/wikipedia problem.  I'm grateful for guys like Roger Dingledine and Phil
Zimmerman who actually make a difference with a privacy system, but they
seem to be the exception, rather than the rule.
</rant>

So thanks for at least taking notice.

						-J

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

More information about the cypherpunks-legacy mailing list