Re: [freehaven-dev] Why Unpublishing Is Not Allowed

["Brett Wooldridge" <brettw@riseup.com>]

----- Original Message -----
From: "Roger Dingledine" <arma@mit.edu>
To: <freehaven-dev@seul.org>
Sent: Tuesday, March 14, 2000 7:40 PM
Subject: Re: [freehaven-dev] Why Unpublishing Is Not Allowed


> On Tue, Mar 14, 2000 at 07:23:13PM -0600, Brett Wooldridge wrote:
> > I would argue that the risk is for the publisher to take -- if he/she so
> > chooses.  Assuming that unpub/mod requests *are* authenticated; assume
> > further that this is done by digitally signing the document (or it's shares).
> > If I wish true anonymity, I can simply use a throw-away key -- and do just
> > that, throw it away after publication.  If however, I decide to take the risk --
> > which isn't that risky if I keep all my document keys encrypted -- then I can
> > present the requisite credentials to remove/alter the document.
> >
> > brett
>
> Brett: you should give a brief introduction of yourself and your interests
> with free haven, since nobody but me knows who you are. :)

Sorry to just leap in.  Roger, found me over on the freenet list -- complaining
about their lack of reprudability -- and suggested that I might be interested in
the free haven project.  I live in Austin (Texas) and am an Associate Fellow at
a startup here in town -- Journée Software.  My work background is primarily
in high-availability server designs and distributed computing.  But among
my personal interests is encryption.  I have been interested in developing
a "blacknet" for a little over a year, but have not found any efforts underway
with the design I have in mind.  Free Haven is no different. :|   Nevertheless,
am interested in contributing to all efforts toward anonymous, redundant,
data storage.

> As for unpublishing, our main argument against allowing unpublishing is
> that if the protocol does not support it, then there's no reason to even
> consider that the publisher has the means to unpublish it. If there's even
> a possibility that he didn't throw away his key (or more generally, if
> there's any reason to suspect that a given person might possibly have the
> means to unpublish a document), then the government should grab him and
> torture him just in case he still has it.

This in an interesting point.  However, there is the possible solution in that
*two* (or N) parties could be required to unpublish a document -- depending
on how many signers it has at publication.

> As a second point, I'm concerned that allowing unpublishing
> will open the flood gates to many new attacks and exploits that we haven't
> considered very thoroughly yet.

Agreed.  This means that they would need to be considered thoroughly.  :)

> And as a fourth point (this one is hardest to defend), I really don't
> see any reason why somebody should want to alter or remove a document they
> submit -- the free haven service is meant to be a longterm robust
> distributed persistent anonymous storage system, not a filesystem.

What happens if I find that I left a few steps out of my soap recipe after I've
published.  Instead of soap, hapless users will be making nitro-glycerine.  How
do I revise or remove it?  A poor example, I admit, but many people won't want
their publication to be final.  What if a political dissident publishes a work
under his real name, but then thinks better of it?  Urgently.  :)  Truth is, its as
soon as one says "no one needs to", they will be a million users begging for
it -- some with better reasons that I can contrive.

> Thanks for the input!
> Let's keep the ideas flowing on this until we all agree,

Thanks, Roger!

brett