From: Eric Hughes <hughes@soda.berkeley.edu>
To: cypherpunks@toad.com
Message Hash: b4609a31bae0722dd75d0139f61bf5815ea3df7d63f7c84ba00cb79623ee7c96
Message ID: <9303281938.AA29951@soda.berkeley.edu>
Reply To: <9303280726.AA11118@toad.com>
UTC Datetime: 1993-03-28 16:58:12 UTC
Raw Date: Sun, 28 Mar 93 08:58:12 PST
From: Eric Hughes <hughes@soda.berkeley.edu>
Date: Sun, 28 Mar 93 08:58:12 PST
To: cypherpunks@toad.com
Subject: ANON: real-person newsgroups
In-Reply-To: <9303280726.AA11118@toad.com>
Message-ID: <9303281938.AA29951@soda.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain
Marc Ringuette writes:
>PEM certificates will distinguish between real people and personas.
>A public-key-authenticated "real person newsgroup" can be
>implemented.
I am opposed to "is-a-person" credentials, especially of the type
"is-this-specific-person". The knowledge of personal identity is in
most cases not salient.
We are in danger of creating a system similar to the SSN fiasco, where
a public identity is now not only a number but a cryptographically
protected one. When such a system exists, there will be strong
pressures to use it for other purposes, just as there are with SSN's.
In short, do not support the PEM certification hierarchy in any way.
If you are in a corporate position with the power to make this
decision, nix it. If you are an individual, do not get or use these
certificates. Do not even get persona certificates; it strengthens
the person identification system by its negative.
>I think a major task ahead of us is to provide an alternative to
>"real people = good, personas = bad", and to put forward alternatives
>to "real person newsgroups" which are tolerable to most and more
>palatable to us.
Newsgroups could be the first structure to require identity, and they
wouldn't be the last. We need alternatives before authentication
to real people becomes prevalent.
I fully agree that the creation of better structures is pressing on
us. I would prefer to be the default and make PEM "the alternative".
>So what's the distinction we might wish to put forward instead of
>"real person"? "Paying customer", perhaps, or "respected reputation"?
The simplest replacement for "real person" is "public key." Carl
Ellison argues mightily and well for this, and has for several years.
By going to just public key, you can support other models and retain
continuity of conversation, where that is desired.
>Yeah, that sounds good. Maybe it's time to set up some reputation
>based newsgroups, with a means of keeping track of who has been
>posting good stuff, and of filtering for credibility.
We need to set up some replacement for the existing fora. Here are
some of the characteristics I've thought about:
1. Eliminate the default behavior to transmit everything received.
On both mailing lists and newsgroups, everthing anybody wants to say
to is sent to the whole group. There are two common restrictions on
this. One is closed mailing lists, where the same default
transmission occurs but is a closed group. That group can get large,
however, and manifest all the probelms of an open group. The other is
to use a moderator, or more accurately an approver, to pre-read all
the material before transmission.
So default transmission has to go. What will replace it? Whatever it
is, it must have the characteristic that there will be posts that will
not be sent to everybody when they first arrive. Simple, but this is
an extremely important characteristic of any future forum.
I think the origin of this behavior lies in the UUCP origins of
newsgroups, where interactive use was difficult and expensive, and
where mail delivery turnaround times were measured in days. Back
then, it actually was better to do default transmission, especially in
a fairly homogenous environment where most people got along OK.
2. For bootstrapping purposes, default transmission must be supported
to some subset of the member of the forum. This seems to directly
conflict the point made above. Default transmission must be supported
to some, but can't be to all. If you require that anybody who wants
to use this new forum install "work-in-progress" software in order to
participate, you'll cut out most of your participants. Now people
won't participate unless there's some content to the forum, and that
will have to be provided by more than just the users of the new
software.
2a. Corollary: A "lurker-only" mode must always be supported. There
will always be those who just want to listen who are not expected to
otherwise participate. A lurker mode, by its nature, will be default
transmission, but not of the whole discussion, perhaps.
3. The social relations among individuals must not have any assymetry
enforced by the software. A moderator, for example, is in a different
position than any other list participant. That means that all people
must be able to participate in deciding what they want to read and
what they want to say about what they've read.
4. The development of social assymetries must not be prevented by the
software. Some people will want to ignore others and want to listen
only to others. When these preferences become commonplace, there are
optimizations that can take place which create assymetries, for
example, by doing transmissions to lurkers based on the ratings of the
most respected group members.
5. Since people must base their decisions on something other than the
content of the postings themselves, and since meta-traffic about
postings shouldn't completely overwhelm the forum itself, it is
desirable that ratings be specified in some contrained grammar,
preferably very small and machine-parsable.
6. There must exist a mechanism for ensuring that the aggregate
rating information is not unbounded. This is a subtle point which I
illustrate with an analogue: in an adventure game, there must be some
limit on the total amount of money. If voting is completely
unconstrained, you quickly get vote inflation and the devaluation of
an individual's opinion. If I can vote one hundred times for myself,
something's wrong.
Therefore I suggest that opinion votes be issued similarly to money.
Each person voting gets to withdraw one "permission to publish an
opinion" per message, withdrawn by a blind signature, and then gets to
use it however they want. They can cast it themselves, or give it
someone else to cast by proxy. (Note that a blind signature is an
interactive protocol.) You want a blind signature to avoid the trap
of revealing privacy information by default. If someone wants to say
what they thought, they are, of course, free to do so.
7. Participants should have the ability to distinguish between blind
votes and public votes. People should have the option of ignoring the
"prevailing wisdom," especially when that prevailing wisdom tends to
crush minority opinions.
8. The rating system should be separable from the transmission
system. This is to allow multiple rating systems to emerge. A rating
collective built on top of a mailing list, for example, could get a
full feed of all posts, but not transmit all of them to all of its
members.
9. Someone is going to have to look at the really awful stuff in
order to rate it negatively. "I just don't want it to be me." Many
will say this, no doubt.
That's all for now.
Eric
Return to March 1993
Return to “Marc.Ringuette@GS80.SP.CS.CMU.EDU”