Re: Pseudonymity for tor: nym-0.1 (fwd)

2005-09-29 Thread Jason Holt

On Thu, 29 Sep 2005, Ian G wrote:

Couple of points of clarification - you mean here
CA as certificate authority?  Normally I've seen
"Mint" as the term of art for the "center" in a
blinded token issuing system, and I'm wondering
what the relationship here is ... is this something
in the 1990 paper?

Actually, it was just the closest paper at hand for what I was trying to do, 
which is "nymous accounts", just as you say.  So I probably shouldn't have 
referred to "spending" at all.

My thinking is that if all Wikipedia is trying to do is enforce a low barrier 
of pseudonymity (where we can shut off access to persons, based on a rough 
assumption of scarce IPs or email addresses), a trivial blind signature system 
should be easy to implement.  No certs, no roles, no CRLs, just a simple 
blindly issued token.  And in fact it took me about 4 hours (while the 
conversation on or-talk has been going on for several days...)

There are two problems with what I wrote. First, the original system is 
intended for cash instead of pseudonymity, and thus leaves the spender a 
disincentive to duplicate other serial numbers (since you'd just be accused of 
double spending); this is a problem since if an attacker sees you use your 
token, he can get the same token signed for himself and besmirch your nym. And 
second, it would be a pain to glue my scripts into an existing authentication 

Both problems are overcome if, instead of a random token, the client blinds 
the hash of an X.509 client cert.  Then the returned signature gives you a 
complete client cert you can plug into your web browser (and which web servers 
can easily demand).  Of course, you can put anything you want in the cert, 
since the servers know that my CA only certifies 1 bit of data about users 
(namely, that they only get one cert per scarce resource).  But the public key 
(and verification mechanisms built in to TLS) keeps abusers from being able to 
pretend they're other users, since they won't have the users' private keys.

The frustrating part about this is the same reason why I'm getting out 
of the credential research business.  People have solved this problem 
before (although I didn't know of any Free solutions; ADDS and SOX are hard to 
google -- are they Free?).  I even came up with at least a proof of 
concept in an afternoon.  And yet the argument on the list went on and on, 
/without even an acknowledgement of my solution/.  Everybody just kept 
debating the definitions of anonymity and identity, and accusing each other of 
anarchy and tyranny.  We go round and round when we talk about authentication 
systems, but never get off the merry-go-round.

Contrast that with Debevec's work at Berkeley; Ph.D in 1996 on "virtual 
cinematography", then The Matrix comes out in 1999 using his techniques and 
revolutionizes action movies.  Sure, graphics is easier because it doesn't 
require everyone to agree on an /infrastructure/, but then, neither does the 
tor/wikipedia problem.  I'm grateful for guys like Roger Dingledine and Phil 
Zimmerman who actually make a difference with a privacy system, but they seem 
to be the exception, rather than the rule.

So thanks for at least taking notice.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: continuity of identity

2005-09-29 Thread Adam Shostack
On a somewhat related note, the other day, I was working on a shell
script to automate Mac access to Google's Secure Access system.  

Now, as I did this, I was able to get curl to respect a single CA as
the only CA it should accept, but I was totally unable to get any form
of certificate persistance.  Is there a way to do this, or am I forced
to invoke openssl and parse its output?


On Tue, Sep 27, 2005 at 04:05:42PM -0400, John Denker wrote:
| Jerrold Leichter mentioned that:
| > a self-
| >signed cert is better than no cert at all:  At least it can be used in an 
| >SSH-like "continuity of identity" scheme.
| I agree there is considerable merit to a "continuity of identity"
| scheme.
| But there are ways the idea can be improved.  So let's discuss it.
| For starters, let me suggest that rather than having a self-signed
| certificate of the type created more-or-less automatically when
| you set up your Apache server or set up your SSH daemon, it makes
| more sense to set up your own CA and issue your own certs from
| there.  In some sense this is just a different type of self-signing,
| but it adds a possibly useful layer of indirection.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]