1993-03-25 - Distributed anonymous posting (was Re: Many Important Items…)

Header Data

From: Joe Thomas <jthomas@access.digex.com>
To: cypherpunks@toad.com
Message Hash: 39580bfb1f3340320165eaabea7b8f0ad964c5a2752c3985679d3da987c4512f
Message ID: <Pine.3.05.9303251227.A7954-d100000@access.digex.com>
Reply To: N/A
UTC Datetime: 1993-03-25 17:19:42 UTC
Raw Date: Thu, 25 Mar 93 09:19:42 PST

Raw message

From: Joe Thomas <jthomas@access.digex.com>
Date: Thu, 25 Mar 93 09:19:42 PST
To: cypherpunks@toad.com
Subject: Distributed anonymous posting (was Re: Many Important Items...)
Message-ID: <Pine.3.05.9303251227.A7954-d100000@access.digex.com>
MIME-Version: 1.0
Content-Type: text/plain

Tim May writes:
> Phil Karn comments on my proposal:
> >>(Cypherpunks remailers may want to change the "Nobody" and "Anonymous"
> >>to names that are less screenable, less susceptible to censorship by
> >>ARMM-type programs...
> >I'm not sure I like this idea. In my own discussions with people on
> >this issue, I've found that "filterability" (for lack of a better
> >term) overcomes *many* (if not all) of the standard objections to
> >anonymous email.
> A very good point. I was thinking more about the "ARMM"-style attacks and
> not so much about the normal filters people might write to keep from seeing
> anonymous posts.
We may be getting ahead of ourselves here.  Because of design decisions in
the cypherpunk remailers, I think they'd be a poor infrastructure for
anonymous Usenet posting.  Anonymous posting has been around as long as
Usenet, in the form of forged messages.  The most important service Julf's
remailer provided was a _return_path_ for replies, something cypherpunk
remailers take deliberate steps to destroy.  If one of the cypherpunk
remailers suddenly decided to implement anonymous Usenet posting as-is, I
think ARMM II would be the least of its problems.
I have been working through a few ideas for the design of a _distributed_
anonymous posting service, in which the loss of one machine would not
destroy all return addresses at that machine, nor compromise the return-
path database.  A handful of penet-style servers who share their return-
address databases (kept updated through an encrypted e-mail protocol,
perhaps) act as a Usenet "front-end" for posting.  But their databases
contain encrypted SASE paths through several cypherpunk remailers, instead
of normal return addresses.  Messages posted through any of the front
ends could be sent to the same user-name at any of the other front-end
machines, since they keep the same databases.  In order to assure that SASE
return path is robust, despite an environment in which remailers may be
shut down at any time, secret sharing might be used for remailer private
keys.  When a remailer went down, a quorum of the remaining remailer
operators would nominate a site to replace it, and send the "pieces" of the
lost remailer's secret key to the replacement site's administrator.  The
remaining remailers would adjust their "routing tables" so mail whose next
hop should be to the lost remailer is sent to its replacement instead.
The best part is that all of this would be transparent to the Usenet user,
who would just see a penet-style return address, along with a note in the
automatically appended signature that said that "if mail to an1234@foo.com
bounces, just try an1234@bar.uk or baz.fi," or whatever.
No doubt there are some problems with this scheme (traffic analysis attacks
on the SASE paths if the front-end database is compromised, etc.) that need
to be addresssed, but I offer it as a preliminary idea for a replacement
service whose stability would not be subject to the whims of any one site
or network connection.
> I guess the solution is to discourage global, ARMM-style filters (and
> perhaps even look again, as a community, at digital sigs for postings, so
  that only the author can cancel them).
Agreed.  This could even be implemented into today's news structure.  Old
servers would continue to blindly heed all cancel messages, while the new
software would verify PEM-style signatures, possibly as a header field.
And if a cabal of prudish newsadmins wanted to let each other cancel those
offensive anonymous articles at their sites, they could simply tell their
software to accept cancels signed by cabal-members' keys.  I don't see how
anyone could oppose this.
Version: 2.2

Joe Thomas <jthomas@access.digex.com>
PGP key available by request or by finger.
PGP key fingerprint:  1E E1 B8 6E 49 67 C4 19  8B F1 E4 9D F0 6D 68 4B