From: futplex@pseudonym.com (Futplex)
Date: Thu, 2 Nov 1995 22:15:34 +0800
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Subject: Re: [FRED] Anonymity and Integrity
In-Reply-To: <9511020130.AA17317@all.net>
Message-ID: <199511020504.AAA19291@thor.cs.umass.edu>
MIME-Version: 1.0
Content-Type: text/plain


Dr. Frederick B. Cohen writes:
> I have been convinced for some time that you can't have both integrity and
> anonymity.  
[and in a followup]
> I might be misinterpreted as having meant that it is impossible to have
> both integrity and anonymity. That is not what I meant, [...]

Er, thanks for the clarification....

> Integrity:= 1) Steadfast adherence to a strict moral and ethical code.
> 	2) A state of being unimpaired; soundness.
> 	3) The quality or condition of being whole or undivided; soundness
> 	Also) soundness, completeness,
> Alternatively:
> 	1) Strict personal honesty and independence...
> 	2) Completeness; unity...
> 	3) The state of being unimpaired; soundness...''
> 
> In this context, I might be misinterpreted as having meant that it is
> impossible to have both integrity and anonymity.  That is not what I
> meant, although it is probably also true in a very strict sense.

All right, what makes you think that ?  Lest we wave our hands too much and
totally misunderstand each other, let me lay down a more concrete scenario.
If you have a substantially different scenario in mind, let me know.

Suppose that I send an anonymous message to a public forum such as this. I
and the message seem to "have anonymity" by any standard I can presently
imagine. Now, in what ways might I or the message lack integrity in this
situation ?  

I haven't broken my personal ethical codes, although perhaps
I've violated someone else's. I have been honest, at least as much as I am
generally honest in anything I write. I am not lying by donning the cloak of
anonymity; I have not misrepresented my identity, merely refused to reveal
it. The content of the message can be considered sound as much as anything
else can. The message is incomplete in the sense that it does not include
the true identity of the author -- is this what you would claim as a
failure of integrity ?  All messages are incomplete in the sense that
various important facts are absent from them.

> To clarify, I don't think you can assure integrity when you have anonymity.
> 
> This follows from my earlier writings (circa 1984-89), which are fairly
> extensive, and in which I made the only marginally supported claim that
> you can't have (i.e., assure) both integrity and secrecy in a system
> with sharing.  This came originally from the result that integrity +
> secrecy = no sharing (ala the combination of Biba and Bell-LaPadula)
> which was extended into a POset which characterizes the extent to which
> integrity and secrecy can be maintained based on transitive information
> flow.
> 
> The less mathematical reasoning is that in order to be able to verify
> integrity, you have to be able to examine the information that is
> secret, while having secrecy requires that you not be able to have
> independent verification.  Thus the two limit each other. 
> 
> Anonymity, in this copntext, can be thought of as secrecy.

I understand the nature of the information flow argument, but I don't see
that it's applicable. You appear to contend that the assurance of the
integrity of an anonymous message depends upon the examination of
information that is "secret", that is, _not part of the message_. But no
message is complete -- all messages have many such associated "secrets" not
available as part of the messages. So the claim seems to be vacuous: we
can assure the integrity of neither anonymous nor verinymous messages.

Perhaps the rejoinder will be that anonymous messages have a 
_characteristic_ piece of missing "secret" information, namely the senders'
True Names. But you have yet to offer any argument that only certain special
"secrets" must be examined in order to verify integrity.

-Futplex <futplex@pseudonym.com>