[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] Deletion of documents

At 04:00 PM 3/11/2000 -0500, you wrote:
>Let's see :
>* Before an "unpublishing event", the value of x must be kept by someone. 
>  This person can then be linked to the document. Once he is linked to
>  the document, he may be forced to unpublish the document. 
>  This is a significant concern. 

Agreed.  It also breaks our description of anonymity.

>So far, it seems we could have acheived the same functionality by allowing
>unpublish requests signed by the private key used to sign shares.
>Immediately after sending the command to unpublish, the key holder 
>eradicates the share private key - which is the same thing as destroying x
>in this scheme. 

I disagree.  A signature gives some knowledge of the publisher.  Even if we
don't have the PK of the signer  (publisher) listed in the file, it is
possible that somebody could do an "exhaustive" type searching to link the
private sig to PK, and thus to some signing publisher.  But the signer is
just a persistent ID, you might ask?  It's not really that simple.  We
haven't handled yet the means of communication between a user and the
servnet node that will insert some file in the system (which is probably
just encrypted transmission, or direct use, or anonymous communication via
email, etc.)  Although I agree this should/will be anonymous, I think a few
considerations arise:

If we sign with the inserting servnet node, this isn't exactly giving
unpublishing ability to the user.

If we sign with the user, this gives some identity associated with a file
(even if it is "anonymous"), something we didn't have before, nor something
generally desirable, in my opinion.

I think the use of 'x' and 'y' as described doesn't have these same issues.

Some of your other concerns appears valid.  Perhaps something to discuss at


  Michael J Freedman

Mail:  mfreed@mit.edu
Web:     griffen.mit.edu
Phone:    617.225.9381