- From: Sam Hartman <hartmans-ietf@mit.edu>
- Date: Thu, 18 Oct 2012 14:41:47 -0400
- To: Josh Howlett <Josh.Howlett@ja.net>
- Cc: Ben Laurie <benl@google.com>, Henry Story <henry.story@bblfish.net>, "Klaas Wierenga \(kwiereng\)" <kwiereng@cisco.com>, "public-identity\@w3.org" <public-identity@w3.org>, "saag\@ietf.org" <saag@ietf.org>, "public-privacy\@w3.org" <public-privacy@w3.org>, "public-philoweb\@w3.org" <public-philoweb@w3.org>, "public-webid\@w3.org" <public-webid@w3.org>
>>>>> "Josh" == Josh Howlett <Josh.Howlett@ja.net> writes:
>> As I once wrote, anonymity should be the substrate. Once you have
>> that, you can the build on it to be linked when you choose to be,
>> and not linked when you choose not to be. If it is not the
>> substrate, then you do not have this choice.
Josh> +1 -- unlinked must be the default, with the option to
Josh> link. Anything else is untenable.
Josh> Josh.
If you're looking for real unlinkability, that implies no
fingerprinting.
Unfortunately, that rules out a lot of things we generally think of as
good design practices.
It tends to rule out future extensibility, configuration option that can
be remotely observed, and implementation flexibility that can be
remotely observed.
Unfortunately, I think that's too high of a price to pay for
unlinkability.
So I've come to the conclusion that anonymity will depend on protocols
like TOR specifically designed for it.
If you're talking about some weak form of anonymity/unlinkability that
does not involve forbidding fingerprinting, I'd like to better
understand what you mean by unlinkability and what the expected
advantages of this system are. Then we can evaluate whether it achieves
them.
Received on Thursday, 18 October 2012 18:42:49 UTC