[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] Why Unpublishing Is Not Allowed

On Tue, Mar 14, 2000 at 07:23:13PM -0600, Brett Wooldridge wrote:
> I would argue that the risk is for the publisher to take -- if he/she so
> chooses.  Assuming that unpub/mod requests *are* authenticated; assume
> further that this is done by digitally signing the document (or it's shares).
> If I wish true anonymity, I can simply use a throw-away key -- and do just
> that, throw it away after publication.  If however, I decide to take the risk --
> which isn't that risky if I keep all my document keys encrypted -- then I can
> present the requisite credentials to remove/alter the document.
> brett

Brett: you should give a brief introduction of yourself and your interests
with free haven, since nobody but me knows who you are. :)

As for unpublishing, our main argument against allowing unpublishing is
that if the protocol does not support it, then there's no reason to even
consider that the publisher has the means to unpublish it. If there's even
a possibility that he didn't throw away his key (or more generally, if
there's any reason to suspect that a given person might possibly have the
means to unpublish a document), then the government should grab him and
torture him just in case he still has it.
[This goes to a side point: our system is not truly anonymous, in that
 there are social issues that can help to track a document to its
 publisher: if I tend to write crypto articles, and I have a certain
 writing style, then the government has a headstart on possible suspects
 for who authored the document. The anonymity comes in by making things

As a first point, I don't want to subject publishers (or anybody they might
possibly delegate this ability to, *whether or not they actually delegated 
it*), to this. As a second point, I'm concerned that allowing unpublishing
will open the flood gates to many new attacks and exploits that we haven't
considered very thoroughly yet. As a third point, I don't want to put in the
added protocol complexity of allowing an 'alter' operation on a document.
And as a fourth point (this one is hardest to defend), I really don't
see any reason why somebody should want to alter or remove a document they
submit -- the free haven service is meant to be a longterm robust
distributed persistent anonymous storage system, not a filesystem.

Thanks for the input!
Let's keep the ideas flowing on this until we all agree,