nym-0.2 released

Jason Holt jason at lunkwill.org
Fri Sep 30 19:18:43 PDT 2005 

nym-0.2 is now available at:

http://www.lunkwill.org/src/nym/

My tor server is currently down, so I can't set up a public trial of this,
but perhaps someone else will.  This release makes the following
improvements:

* Tokens are now issued one-per-IP to clients via a "token" CGI script.
Tokens are still blindly issued, so nobody (including the token issuer) can
associate tokens with IP addresses.  The list of already-served IPs could be
periodically removed, allowing users to obtain new pseudonyms on a regular
basis.  (Abusers will then need to be re-blocked assuming they re-misbehave).

* A token can be used to obtain a signature on a client certificate from a
separate "CA" CGI script (potentially on a different machine).  Tokens can
only be "spent" to obtain one cert.  Code to make a CA, client certs and
have the certs signed is included.

* The CA public key can be installed on a third web server (or proxy) to
require that users have a valid client certificate.  Servers can maintain a
blacklist of misbehaving client certs.  Misbehavers will then be unable to
access the server until they obtain a new token and client cert (via a new
IP).



My proposal for using this to enable tor users to play at Wikipedia is as
follows:

1. Install a token server on a public IP.  The token server can optionally
be provided Wikipedia's blocked-IP list and refuse to issue tokens to
offending IPs.  Tor users use their real IP to obtain a blinded token.

2. Install a CA as a hidden service.  Tor users use their unblinded tokens
to obtain a client certificate, which they install in their browser.

3. Install a wikipedia-gateway SSL web proxy (optionally also a hidden
service) which checks client certs and communicates a client identifier to
MediaWiki, which MediaWiki will use in place of the REMOTE_ADDR (client IP
address) for connections from the proxy.  When a user misbehaves, Wikipedia
admins block the client identifier just as they would have blocked an
offending IP address.

						-J

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

More information about the cypherpunks-legacy mailing list