[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-dev] Revocation


The ability to revoke or unpublish shares would provide much greater
flexibility to the Free Haven system. Specifically, this would allow
a much more realistic emulation of an actual read-write filesystem,
where published documents could be updated as newer versions became
available. Indeed, it also allows political dissidents who publish under
their real name to realize their mistake and unpublish the documents.

Revocation could be implemented by allowing the author to come up with
a random private value $x$, and then publishing $H(x)$ inside each
share. If the author wants to unpublish a document, he would broadcast
an unpublish request along with his original value $x$ (and also $H(x)$
for the sake of convenience and efficiency), and all servers which are
currently holding shares of the document would expire them.

However, there are a number of extra attacks this allows on the system:
\item It complicates the buddy system greatly, since we're not sure that
the unpublish request would reach the buddy of a given share. Indeed,
an adversary might send unpublishing requests to some members of the
servnet and not others, in an attempt to cause havoc in the trust system,
or even to try to gain insight into the current location of some shares.
\item Authors might use the same hash for new shares, and thus `link'
documents. Adversaries might also use the same $H(x)$ even though they
are unaware of the value of $x$: this would cause artificial linking,
as observers might conclude that the publisher of the original document
also published the later documents.
\item The presence of an unpublishing tag $H(x)$ in a share assigns
a sort of `ownership' to a share that is not present otherwise. This
may have subtle implications towards publisher and reader anonymity --
for instance, a publisher who remembers his $x$ has evidence on his
computer that he was associated with that share, thus breaking perfect
forward author-anonymity.

In addition, if revocation exists, then the Church of Scientology (or
other relevant intelligence agency) has an incentive to track down the
original author of the document, because chances are good he still has
the value $x$ which would allow them to remove the document from Free
Haven. Even if the author immediately destroys his $x$, the adversary has
sufficient reason to suspect that he still has it that it is worthwhile
for them to spend resources tracking him.

This problem can be ameliorated by making the unpublishing tag optional.
This means that the share itself will make it clear whether that share
can be unpublished, so if no unpublishing tag is present, there should
be no reason to try to track down the author.  However, even with
this protection the Church can still republish the document {\em with}
a revocation tag, and use that as `reasonable cause' for hunting down
the publisher.

Because the ability to revoke shares potentially puts the original
publisher in increased physical danger, as well as increasing the set
of attacks on the servnet infrastructure, we chose to leave revocation
out of the current design.