Hi all, thanks for the clarifications. As for breaking IP-based nym, I think it has to be demonstrated in practice that the effects are so bad. Wikipedia has moderately ambitious adversaries, and it is quite possible that they can be fought off with weak defense mechanisms. Also, the trivial replacement of IPs as pre-tokens by e-mail addresses, although still far from perfect, would work much better with respect to your critique. m. On Mon, Oct 31, 2005 at 07:15:52AM -0500, Anthony DiPierro wrote: > To: or-talk@xxxxxxxxxxxxx > From: Anthony DiPierro <or@xxxxxxxxx> > Date: Mon, 31 Oct 2005 07:15:52 -0500 > Subject: Re: Wikipedia and Tor - a solution in the works? > > On 10/30/05, Matthias Fischmann <fis@xxxxxxxxxxxxxxxxx> wrote: > > > this is where nym comes in. it hides the IP address from wikipedia, > > replacing it with a token that is exactly as hard to obtain as an IP > > address, but detached from the user's real identity. the > > authentication server knows which IP address gets a token, and that no > > IP address gets more than one token, but doesn't know the mapping > > between IP addresses and tokens. wikipedia can only see tokens, but > > no IP addresses (except those of tor nodes), but trusts the > > authentication server not to issue several tokens to the same address. > > > I don't really see how nym provides the security that was talked about by > Mr. Wales, with the authentication server and the trusted cloud. It is > really an entirely different solution. But more importantly, nym, as I > understand it, doesn't provide the same security as using the IP address > directly. Nym doesn't provide you with a token showing that have a unique IP > address, it provides you with a token showing that - at some point in the > past - you had a unique IP address. > > I'm not sure when, if ever, tokens and certificates are supposed to expire, > but between expirations if you happen to be using an IP address which was > used by someone else to obtain a token (or, furthermore, if you simply have > lost the certificate you obtained for yourself), then you can't obtain a > token, and therefore can't obtian a certificate. Furthermore, it would be > rather trivial for anyone on an account which uses dynamic IP addresses to > build up a huge assortment of valid certificates, which could be used later > if one of them becomes invalid, and in fact such selfish behavior would > inherently destroy the system, as major ISPs would have a scarce supply of > tokens available. > > Finally, the anonymity only increases as more people use the system (and in > fact would be completely unacceptable for anything but the most trivial of > protections without a significant number of users), and usability decreases > as more people use the system (for the reasons above). > > I'm not even going to even get into what would happen if someone manages to > spoof IP addresses to the token server. This is arguably a problem with > Wikipedia's current system anyway, though on a more temporary basis. Same > thing with IPv6. > > if wikipedia is unhappy with a user, it bans that user's token (with > > the same effect as banning an IP address if there was no tor network). > > > Effectively banning the IP address *forever*. Yes, you could add an > expiration on the certificate to allow someone to obtain a new token after a > certain period of time, but the shorter you make the period of time, the > less the anonymity you're providing (and the less useful the block). > > Anthony -- Institute of Information Systems, Humboldt-Universitaet zu Berlin web: http://www.wiwi.hu-berlin.de/~fis/ e-mail: fis@xxxxxxxxxxxxxxxxx tel: +49 30 2093-5742 fax: +49 30 2093-5741 office: Spandauer Strasse 1, R.324, 10178 Berlin, Germany
Attachment:
signature.asc
Description: Digital signature