- From: Sam Hartman <hartmans-ietf@mit.edu>
- Date: Thu, 18 Oct 2012 14:41:47 -0400
- To: Josh Howlett <Josh.Howlett@ja.net>
- Cc: Ben Laurie <benl@google.com>, Henry Story <henry.story@bblfish.net>, "Klaas Wierenga \(kwiereng\)" <kwiereng@cisco.com>, "public-identity\@w3.org" <public-identity@w3.org>, "saag\@ietf.org" <saag@ietf.org>, "public-privacy\@w3.org" <public-privacy@w3.org>, "public-philoweb\@w3.org" <public-philoweb@w3.org>, "public-webid\@w3.org" <public-webid@w3.org>
>>>>> "Josh" == Josh Howlett <Josh.Howlett@ja.net> writes: >> As I once wrote, anonymity should be the substrate. Once you have >> that, you can the build on it to be linked when you choose to be, >> and not linked when you choose not to be. If it is not the >> substrate, then you do not have this choice. Josh> +1 -- unlinked must be the default, with the option to Josh> link. Anything else is untenable. Josh> Josh. If you're looking for real unlinkability, that implies no fingerprinting. Unfortunately, that rules out a lot of things we generally think of as good design practices. It tends to rule out future extensibility, configuration option that can be remotely observed, and implementation flexibility that can be remotely observed. Unfortunately, I think that's too high of a price to pay for unlinkability. So I've come to the conclusion that anonymity will depend on protocols like TOR specifically designed for it. If you're talking about some weak form of anonymity/unlinkability that does not involve forbidding fingerprinting, I'd like to better understand what you mean by unlinkability and what the expected advantages of this system are. Then we can evaluate whether it achieves them.
Received on Thursday, 18 October 2012 18:42:49 UTC