Pseudonymity for tor: nym-0.1 (fwd)

Jason Holt jason at lunkwill.org
Thu Sep 29 19:32:24 EDT 2005


On Thu, 29 Sep 2005, Ian G wrote:
> Couple of points of clarification - you mean here
> CA as certificate authority?  Normally I've seen
> "Mint" as the term of art for the "center" in a
> blinded token issuing system, and I'm wondering
> what the relationship here is ... is this something
> in the 1990 paper?

Actually, it was just the closest paper at hand for what I was trying to do, 
which is "nymous accounts", just as you say.  So I probably shouldn't have 
referred to "spending" at all.

My thinking is that if all Wikipedia is trying to do is enforce a low barrier 
of pseudonymity (where we can shut off access to persons, based on a rough 
assumption of scarce IPs or email addresses), a trivial blind signature system 
should be easy to implement.  No certs, no roles, no CRLs, just a simple 
blindly issued token.  And in fact it took me about 4 hours (while the 
conversation on or-talk has been going on for several days...)

There are two problems with what I wrote. First, the original system is 
intended for cash instead of pseudonymity, and thus leaves the spender a 
disincentive to duplicate other serial numbers (since you'd just be accused of 
double spending); this is a problem since if an attacker sees you use your 
token, he can get the same token signed for himself and besmirch your nym. And 
second, it would be a pain to glue my scripts into an existing authentication 
system.

Both problems are overcome if, instead of a random token, the client blinds 
the hash of an X.509 client cert.  Then the returned signature gives you a 
complete client cert you can plug into your web browser (and which web servers 
can easily demand).  Of course, you can put anything you want in the cert, 
since the servers know that my CA only certifies 1 bit of data about users 
(namely, that they only get one cert per scarce resource).  But the public key 
(and verification mechanisms built in to TLS) keeps abusers from being able to 
pretend they're other users, since they won't have the users' private keys.

<rant>
The frustrating part about this is the same reason why I'm getting out 
of the credential research business.  People have solved this problem 
before (although I didn't know of any Free solutions; ADDS and SOX are hard to 
google -- are they Free?).  I even came up with at least a proof of 
concept in an afternoon.  And yet the argument on the list went on and on, 
/without even an acknowledgement of my solution/.  Everybody just kept 
debating the definitions of anonymity and identity, and accusing each other of 
anarchy and tyranny.  We go round and round when we talk about authentication 
systems, but never get off the merry-go-round.

Contrast that with Debevec's work at Berkeley; Ph.D in 1996 on "virtual 
cinematography", then The Matrix comes out in 1999 using his techniques and 
revolutionizes action movies.  Sure, graphics is easier because it doesn't 
require everyone to agree on an /infrastructure/, but then, neither does the 
tor/wikipedia problem.  I'm grateful for guys like Roger Dingledine and Phil 
Zimmerman who actually make a difference with a privacy system, but they seem 
to be the exception, rather than the rule.
</rant>

So thanks for at least taking notice.

 						-J

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list