[freehaven-dev] Why Unpublishing Is Not Allowed

[Roger R Dingledine <arma@mit.edu>]

It would allow a lot of flexibility in the system to be able to
modify, remove, or replace documents that have been stored in the
servnet before their expiration time arrives.

However, this introduces many more attacks on the documents in the
system, and does not provide sufficient functionality to warrant
solving those new attacks. Free Haven is not meant as a file system --
the high latency makes it less convenient as a file system, and the
true anonymity and decentralized accountability (from the buddy
system) are designed specifically to prevent unpublishing.

Consider the argument from this angle: a request for unpublishing
will either be authenticated or unauthenticated.
If the request is authenticated, then clearly the original publisher
has kept some identifying features from when he published the document,
in order to present them now as authentication. Similarly, the share
itself must have some mechanism for verifying the authentication. Both
of these imply an unacceptable loss of anonymity for both the publisher
and the share itself.
If the request is unauthenticated, then by definition there is no
way for the share to confirm that the request is an 'appropriate' or
'acceptable' one -- indeed, anybody could spoof an unpublish request
in this scenario, which is clearly unacceptable.

[Any flaws in the above logic? (This is your time to attack...there's
lots to attack :) ]

--Roger