[freehaven-dev] document-anonymity terminology

[Roger Dingledine <arma@mit.edu>]

It just occurred to me that the below notions might be more clearly
described as "passive-server document-anonymity" and "active-server
document-anonymity".

Thoughts/arguments?
--Roger

\item[Document-Anonymity:]
Document-anonymity means that a server does not know which documents it
is storing. Document-anonymity is crucial if mere possession of some file
is cause for action against the server, because it provides protection
to a server operator even after his or her machine has been seized by an
adversary. This notion is sometimes also known as `plausible deniability',
but see below under query-anonymity.

\emph{Isolated-server} document-anonymity means that if the server is
allowed to look only at the data that it is storing, it is unable to
figure out the contents of the document. This can be achieved via some
sort of secret sharing mechanism. That is, multiple servers split up
either the document or an encryption key that recreates the document
(or both). An alternative approach is to encrypt the document before
publishing, using some key which is external to the server.

\emph{Connected-server} document-anonymity refers to the situation in
which the server is allowed to communicate and compare data with all
other servers. Since a connected server may act as a reader and do
document requests itself, connected-server document-anonymity seems
difficult to achieve without some trusted party that can distinguish
server requests from ``ordinary'' reader requests.