[4284] in cryptography@c2.net mail archive
Re: Crypto for some of the DNS/TM mess
daemon@ATHENA.MIT.EDU (Anonymous)
Sat Mar 6 16:22:31 1999
Date: Sat, 6 Mar 1999 05:20:27 +0100
From: Anonymous <nobody@replay.com>
To: cryptography@c2.net
Adam Back wrote:
> - it may be possible to use Matt Blaze's proxy crypto construct to
> provide a proxy signing key for the credential if a public proxy
> function can be found corresponding to the signature algorithm used.
> This would allow signatures to be made without requiring disclosure of
> the private key. (Disclaimer: a) I haven't looked at the function
> used, b) I don't think anyone has successfully constructed _any_
> public proxy functions for any cryptosystems yet)
I think the provable security of the credential system would insure that
this kind of thing won't work.
> - you can manually proxy sign data even without proxy crypto -- just
> perfectly anonymously sign domain registration documents for £5 each.
> The perfect "crime" (and victimless too). I'll borrow a few dozen
> non-net friends credentials :-)
Several other people have made similar observations, including Bill
Frantz, Jim McCoy, and Ben Laurie.
Keep in mind that this system is intended as an alternative to the
present system where people must give out their identity and contact
information when they register. All these comments about colluding with
others to register in multiple names apply equally to the current system.
No system can prevent this. Hence this point is irrelevant in considering
whether the current DNS registry should be replaced by a pseudonymous one.
The original concern about anonymous/pseudonymous systems was that
they might make it much easier than in the present system to register
multiple domain names undetectably. A purely anonymous system, where
there was no linkage between names registered to the same person,
would have this problem. There would be no way to tell when someone
was registering multiple names.
The question was whether a cryptographic system could protect people's
privacy, not reveal who was registering which names, but still allow
people to know when someone was buying up large numbers of names.
The pseudonym/credential systems show that it is possible to add privacy
without greatly increasing the ease of abuse.
People have wondered about the necessity of knowing when multiple names
are owned by the same person. I don't fully understand the need for it.
But it might be useful in identifying attempts to monopolize some region
of the name space.
Consider the example of a big developer buying up all the houses on your
block. It may take a while for your neighbors to realize that the value
of their homes has greatly increased. Making information available about
who the buyers are will help people to recognize these kinds of actions.
Ultimately it improves economic efficiency by making more information
available to all parties.
This must be traded off against the loss of privacy involved. But in
this case the loss is relatively minor. The identities of the would-be
monopolists are not revealed, only the fact that these concentrations
of name registrations exist. This is a small loss of privacy and provides
information which can help the market to operate.
We should also recognize the practical issue of institutional conservatism.
Losing the ability to learn the names, addresses and phone numbers of
domain name registrants is a major loss of control for people concerned
about such things. Going to a fully anonymous system is too big a step
for people accustomed to detailed knowledge of who owns what names.
The pseudonymous system provides an intermediate level of information
and privacy, which might make it a more acceptable alternative to the
status quo.
Ben Laurie wrote:
> Sure, but suppose I own a block of flats, or an office block. I can rent
> "identity space" to anyone who wants to register hundreds of identities,
> which will easily get around this restriction. Could be quite a
> lucrative business actually. Somewhat akin to PO boxes...
This is one aspect in which the pseudonymous system does allow for
more abuse than the current system. Presently, if someone does this,
there will be multiple names registered with very similar addresses.
Someone can observe this and conclude that there is a good chance that
one person is behind all those addresses. In the pseudonymous system, it
may be possible to see that there are suspiciously similar addresses in
the contact database, but there is no way to correlate that information
with domain name registrations. There might be some technical fixes
possible, but they would probably shift the balance away from privacy.
