1994-02-17 - Re: Models of Anonymity (was Re: Detweiler abuse again)

Header Data

From: “Jon ‘Iain’ Boone” <boone@psc.edu>
To: cypherpunks@toad.com
Message Hash: 6e52049f4820902ed664bbe81016c3aa378d6a847494aea12a28f31fcb9445e7
Message ID: <9402171612.AA00342@igi.psc.edu>
Reply To: <9402150715.AA02994@toxicwaste.media.mit.edu>
UTC Datetime: 1994-02-17 16:15:23 UTC
Raw Date: Thu, 17 Feb 94 08:15:23 PST

Raw message

From: "Jon 'Iain' Boone" <boone@psc.edu>
Date: Thu, 17 Feb 94 08:15:23 PST
To: cypherpunks@toad.com
Subject: Re: Models of Anonymity (was Re: Detweiler abuse again)
In-Reply-To: <9402150715.AA02994@toxicwaste.media.mit.edu>
Message-ID: <9402171612.AA00342@igi.psc.edu>
MIME-Version: 1.0
Content-Type: text/plain

Derek Atkins <warlord@MIT.EDU>  writes:
> I'm not sure that I really meant to have a receipt, more or a
> return-path.  Maybe even a cryptographiccally secure return path.  I
> think a question is: who are we protecting against?  Are we protecting
> against the remailer operators?  Or are we trying to protect from a
> third party?

  I think that we are trying to protect against 3rd parties.  With the
  X-A-R-P:/X-A-S-P: scheme I posted, each remailer *could* log who it
  came from and who it was going to -- it's optional.  But, (with the
  appropriate delays and padding to prevent traffic analysis), a third
  party would not be able to figure that out.

> To me, this is like NEARNet saying that they have no obligation to
> accept packets from a known disruptive user.  No, I don't believe that
> that is the answer.  Then again, I don't think that a remailer should
> run out of an account, but rather on a machine, but that's a different
> story.  I consider a remailer a service, and as such, the service
> should be available to all comers.  (With digital postage this
> paradigm makes much more sense).  I do not think of it like a home.

  I would argue that you are correct.  Anonymous remailing is a new service.
  It should have new servers that run on a well-known port (so that any user
  can start one up) and hacks could be put into most of the current mail
  agents to support using an anoymous remailer.  We don't even have to follow
  RFC 822 in the format of our messages, though I think we should.

> I also agree that positive reputation is important, but I think that
> is much more difficult to implement than a more secure anonymous
> system.

  Yes.  The easiest way to build a reputation is to assign some unique
  public/private key pair to each anonymous user and require all remailed
  messages to be signed.  Then, you as a user can choose to ignore or
  read messages from that id.  Additionally, it does allow for the
  server daemon to reject postings from "abusive" ids or simply not forward
  the posting, but rather a notice stating the ID and subject line of the
  message, making it available in a public place like anonymous ftp or
  gopherspace for those who *do* want to read it.  

  The really nice thing about this is that it won't prevent people from
  having their anonymity, but it will cut down on the actual damage that
  abusers can do.

> To reiterate: I do think that something needs to be done, but I think
> we should analyze what we are trying to accomplish rather than rushing
> off and saying "just don't service this abusive customer".

  I agree.  I think anonymous remailing should be as close to universal as
  possible.  If there *is* a way to service everyone, I think we should do
  it.  Resorting to non-service of "abusers" should be the last resort.

 Jon Boone | PSC Networking | boone@psc.edu | (412) 268-6959 | PGP Key # B75699
 PGP Public Key fingerprint =  23 59 EC 91 47 A6 E3 92  9E A8 96 6A D9 27 C9 6C