- From: Ben Laurie <benl@google.com>
- Date: Fri, 19 Oct 2012 14:31:08 +0100
- To: Henry Story <henry.story@bblfish.net>
- Cc: Ben Laurie <ben@links.org>, "public-philoweb@w3.org" <public-philoweb@w3.org>, "public-identity@w3.org" <public-identity@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>, Sam Hartman <hartmans-ietf@mit.edu>, "public-webid@w3.org" <public-webid@w3.org>, "saag@ietf.org" <saag@ietf.org>
On 19 October 2012 13:01, Henry Story <henry.story@bblfish.net> wrote: > > On 18 Oct 2012, at 21:29, Ben Laurie <ben@links.org> wrote: > >> On Thu, Oct 18, 2012 at 8:20 PM, Henry Story <henry.story@bblfish.net> wrote: >>> >>> On 18 Oct 2012, at 21:04, Mouse <mouse@Rodents-Montreal.ORG> wrote: >>> >>>>> [...] >>>>> Unfortunately, I think that's too high of a price to pay for >>>>> unlinkability. >>>>> So I've come to the conclusion that anonymity will depend on >>>>> protocols like TOR specifically designed for it. >>>> >>>> Is it my imagination, or is this stuff confusing anonymity with >>>> pseudonymity? I feel reasonably sure I've missed some of the thread, >>>> but what I have seem does seem to be confusing the two. >>>> >>>> This whole thing about linking, for example, seems to be based on >>>> linking identities of some sort, implying that the systems in question >>>> *have* identities, in which case they are (at best) pseudonymous, not >>>> anonymous. >>> >>> With WebID ( http://webid.info/ ) you have a pseudonymous global identifier, >>> that is tied to a document on the Web that need only reveal your public key. >>> That WebID can then link to further information that is access controlled, >>> so that only your friends would be able to see it. >>> >>> The first diagram in the spec shows this well >>> >>> http://webid.info/spec/#publishing-the-webid-profile-document >>> >>> If you put WebID behind TOR and only have .onion WebIDs - something that >>> should be possible to do - then nobody would know WHERE the box hosting your >>> profile is, so they would not be able to just find your home location >>> from your ip-address. But you would still be able to link up in an access >>> controlled manner to your friends ( who may or may not be serving their pages >>> behind Tor ). >>> >>> You would then be unlinkable in the sense of >>> http://tools.ietf.org/html/draft-iab-privacy-considerations-03 >>> >>> [[ >>> Within a particular set of information, the >>> inability of an observer or attacker to distinguish whether two >>> items of interest are related or not (with a high enough degree of >>> probability to be useful to the observer or attacker). >>> ]] >>> >>> from any person that was not able to access the resources. But you would >>> be linkable by your friends. I think you want both. Linkability by those >>> authorized, unlinkability for those unauthorized. Hence linkability is not >>> just a negative. >> >> I really feel like I am beating a dead horse at this point, but >> perhaps you'll eventually admit it. Your public key links you. > > The question is to whom? What is the scenario you are imagining, and who is > the attacker there? > >> Access >> control on the rest of the information is irrelevant. Indeed, access >> control on the public key is irrelevant, since you must reveal it when >> you use the client cert. > > You are imagining that the server I am connecting to, and that I have > decided to identify myself to, is the one that is attacking me? Right? > Because otherwise I cannot understand your issue. > > But then I still do not understand your issue, since I deliberately > did connect to that site in an identifiable manner with a global id. > I could have created a locally valid ID only, had I wanted to not > connect with a globally valid one. > > So your issue boils down to this: if I connect to a web site deliberately > with a global identifier, then I am globally identified by that web site. > Which is what I wanted. > > So perhaps it is up to you to answer: why should I not want that? I am not saying you should not want that, I am saying that ACLs on the resources do not achieve unlinkability. >> Incidentally, to observers as well as the >> server you connect to. > > Not when you re-negotiation I think. That's true, but is not specified in WebID, right? Also, because of the renegotiation attack, this is currently insecure in many cases. > And certainly not if you use Tor, right? Tor has no impact on the visibility of the communication at the server end. > > > Social Web Architect > http://bblfish.net/ > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >
Received on Friday, 19 October 2012 13:31:41 UTC