Re: [saag] Liking Linkability from Henry Story on 2012-10-19 (public-privacy@w3.org from October to December 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 19 Oct 2012 16:16:13 +0200
To: Ben Laurie <benl@google.com>
Cc: Ben Laurie <ben@links.org>, "public-philoweb@w3.org" <public-philoweb@w3.org>, "public-identity@w3.org" <public-identity@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>, Sam Hartman <hartmans-ietf@mit.edu>, "public-webid@w3.org" <public-webid@w3.org>, "saag@ietf.org" <saag@ietf.org>
Message-Id: <67F4F93A-BE4C-4AF0-BA02-0096930820E1@bblfish.net>
On 19 Oct 2012, at 15:52, Ben Laurie <benl@google.com> wrote:

> On 19 October 2012 14:46, Henry Story <henry.story@bblfish.net> wrote:
>> 
>> On 19 Oct 2012, at 15:31, Ben Laurie <benl@google.com> wrote:
>> 
>>> On 19 October 2012 13:01, Henry Story <henry.story@bblfish.net> wrote:
>>>> 
>>>> On 18 Oct 2012, at 21:29, Ben Laurie <ben@links.org> wrote:
>>>> 
>>>>> On Thu, Oct 18, 2012 at 8:20 PM, Henry Story <henry.story@bblfish.net> wrote:
>>>>>> 
>>>>>> On 18 Oct 2012, at 21:04, Mouse <mouse@Rodents-Montreal.ORG> wrote:
>>>>>> 
>>>>>>>> [...]
>>>>>>>> Unfortunately, I think that's too high of a price to pay for
>>>>>>>> unlinkability.
>>>>>>>> So I've come to the conclusion that anonymity will depend on
>>>>>>>> protocols like TOR specifically designed for it.
>>>>>>> 
>>>>>>> Is it my imagination, or is this stuff confusing anonymity with
>>>>>>> pseudonymity?  I feel reasonably sure I've missed some of the thread,
>>>>>>> but what I have seem does seem to be confusing the two.
>>>>>>> 
>>>>>>> This whole thing about linking, for example, seems to be based on
>>>>>>> linking identities of some sort, implying that the systems in question
>>>>>>> *have* identities, in which case they are (at best) pseudonymous, not
>>>>>>> anonymous.
>>>>>> 
>>>>>> With WebID ( http://webid.info/ ) you have a pseudonymous global identifier,
>>>>>> that is tied to a document on the Web that need only reveal your public key.
>>>>>> That WebID can then link to further information that is access controlled,
>>>>>> so that only your friends would be able to see it.
>>>>>> 
>>>>>> The first diagram in the spec shows this well
>>>>>> 
>>>>>> http://webid.info/spec/#publishing-the-webid-profile-document
>>>>>> 
>>>>>> If you put WebID behind TOR and only have .onion WebIDs - something that
>>>>>> should be possible to do - then nobody would know WHERE the box hosting your
>>>>>> profile is, so they would not be able to just find your home location
>>>>>> from your ip-address. But you would still be able to link up in an access
>>>>>> controlled manner to your friends ( who may or may not be serving their pages
>>>>>> behind Tor ).
>>>>>> 
>>>>>> You would then be unlinkable in the sense of
>>>>>> http://tools.ietf.org/html/draft-iab-privacy-considerations-03
>>>>>> 
>>>>>> [[
>>>>>>    Within a particular set of information, the
>>>>>>    inability of an observer or attacker to distinguish whether two
>>>>>>    items of interest are related or not (with a high enough degree of
>>>>>>    probability to be useful to the observer or attacker).
>>>>>> ]]
>>>>>> 
>>>>>> from any person that was not able to access the resources. But you would
>>>>>> be linkable by your friends. I think you want both. Linkability by those
>>>>>> authorized, unlinkability for those unauthorized. Hence linkability is not
>>>>>> just a negative.
>>>>> 
>>>>> I really feel like I am beating a dead horse at this point, but
>>>>> perhaps you'll eventually admit it. Your public key links you.
>>>> 
>>>> The question is to whom? What is the scenario you are imagining, and who is
>>>> the attacker there?
>>>> 
>>>>> Access
>>>>> control on the rest of the information is irrelevant. Indeed, access
>>>>> control on the public key is irrelevant, since you must reveal it when
>>>>> you use the client cert.
>>>> 
>>>> You are imagining that the server I am connecting to, and that I have
>>>> decided to identify myself to, is the one that is attacking me? Right?
>>>> Because otherwise I cannot understand your issue.
>>>> 
>>>> But then I still do not understand your issue, since I deliberately
>>>> did connect to that site in an identifiable manner with a global id.
>>>> I could have created a locally valid ID only, had I wanted to not
>>>> connect with a globally valid one.
>>>> 
>>>> So your issue boils down to this: if I connect to a web site deliberately
>>>> with a global identifier, then I am globally identified by that web site.
>>>> Which is what I wanted.
>>>> 
>>>> So perhaps it is up to you to answer: why should I not want that?
>>> 
>>> I am not saying you should not want that, I am saying that ACLs on the
>>> resources do not achieve unlinkability.
>> 
>> Can you expand on what the dangers are?
>> 
>>> 
>>>>> Incidentally, to observers as well as the
>>>>> server you connect to.
>>>> 
>>>> Not when you re-negotiation I think.
>>> 
>>> That's true, but is not specified in WebID, right? Also, because of
>>> the renegotiation attack, this is currently insecure in many cases.
>> 
>> WebID on TLS does rely on TLS. Security is not a goal one can reach,
>> it is a way of travelling. So I do expect every security protocol to
>> have issues. These ones are being fixed, and if more people build on
>> them, the priority of the need to fix them will grow faster.
>> 
>>> 
>>>> And certainly not if you use Tor, right?
>>> 
>>> Tor has no impact on the visibility of the communication at the server end.
>> 
>> You really need to expand on what the danger is. Because again
>> I think you are thinking of the site I am connecting to as the attacker.
>> But I may be wrong.
> 
> I'm getting quite tired of this: the point is, you cannot achieve
> unlinkability with WebID except by using a different WebIDs. You made
> the claim that ACLs on resources achieve unlinkability. This is
> incorrect.

The definition of unlinkability higher up is relative to the notion of
an attacker. That is why you cannot just make a statement that WebID
cannot achieve unlinkability without specifying who the attackers are.
Such a sentence is incomplete.

> 
> So yes, the scenario is there are two sites that I connect to using
> WebID and I want each of them to not be able to link my connections to
> the other. To do this, I need two WebIDs, one for each site. ACLs do
> not assist.

Thanks for filling in the picture.

So the difference between us is that your are considering situations
where you wish to identify to a web site which you think of as an
attacker. There WebID is not the right technology, and indeed very
few technologies may be right - indeed it may be impossible for that
to be used by a large public, since most such attacking sites would 
ask a user for his e-mail address, or a few pieces of information that
together are linkable, and link him/her.

In the situations we are considering with WebID the sites we are 
connecting to are not thought of as the enemy. Now I agree we should 
add a  privacy/security section to the spec ( ISSUE-68 [1] ) that
makes this limitation clear.
  In some situations this is problematic. But for creating a distributed
SocialWeb which is what I am interested in doing, I think this is essential. 
We want to be able to allow friends of friends to work together, create
ad hoc working groups of people with distributed identities, etc... These
are the types of things people do one social networks, we just want to do
those on a global scale with no center of control.

Does that make sense? Would adding that to a privacy section be satisfactory
to you?

Henry

[1] http://www.w3.org/2005/Incubator/webid/track/issues/68

Social Web Architect
http://bblfish.net/
Attachments

application/pkcs7-signature attachment: smime.p7s
Received on Friday, 19 October 2012 14:16:59 UTC