Re: Pseudonyms and Reputations

[Hal <hfinney@shell.portal.com>]

From: tmp@netcom.com
> these identification systems ultimately fall back on `real world'
> identification systems such as birth certificates, social security
> numbers etc. which all can be readily subverted by a determined 
> adversary.

I believe RSA requires a notarized statement, where you have presented the
notaries with three forms of ID.  I would imagine that notaries have some
experience with false ID, but no doubt they can be fooled with sufficient
effort.  Still, for the kinds of applications we are talking about here
(chatting on the net) this is probably adequate.  For more security
you could require a thumbprint which is compared with others on file.

> what, specifically, is problematic about these? does chaum just ignore
> them? does he describe them in greater detail?

Chaum was writing more about financial relationships with creditors,
businesses, etc.  My translation of his ideas into the cyberspace author-
ship arena was not something he discussed directly.

> as for `endorsements for unknown endorsers', it seems to me the reputation
> system you refer to is a sort of `reputation web' not unlike the pgp
> `web of trust' model. a pseudonymous credential has as much weight as
> the pseudonym originating the certification. i.e., if `a' signs `b's 
> pseudonym, that `edge' in the `reputation graph' has as much weight as
> `a' has reputation. that is, it should not be possible to create a whole
> bunch of new pseudonyms, have them all sign each other, and then increase
> your reputation.

In one way it is easier than with pgp.  With pgp we are trying to guess
whether a person is really who he says he is.  This has all sorts of real-
world implications, and as tmp points out these are hard to verify.  With
reputation systems what you really want to know is whether a person's
endorsements are valuable.  Over time you can basically decide this for
yourself, by judging whether those authors recommended by a given person
are ones which you consider good.  Those endorsers whose opinions match
your own would be the ones you pay the most attention to.

> this brings up an interesting idea. future cyberspatial citizens may
> develop an elaborate netiquette that describes how to maximize one's
> advantage through the use of pseudonyms. all kinds of strategies will
> ensue. is it better to have a few good pseudonyms, without diluting
> reputation, or a whole bunch of pseudonyms but a bit more diluted 
> reputation?

With Chaum's system it should not necessarily dilute your reputation to
use a lot of pseudonyms.  OTOH, you are right that informal reputations will
not carry over, and in practice these will be important.

> one of the problems with a positive reputation system is that it would
> workd for `d-type people' <g> whose reputation is primarily negative.
> a whole lot of people would like to put a negative credential on `d'
> so that they would limit his influence in all forums he visits, similar
> to the way that one could globally encourage someone else through
> `accreditation'. `d' would simply not propagate any negative signatures
> to his pseudonyms. 

Negative endorsements, and negative credentials in general, are difficult
to achieve.  Chaum's paper has some discussion of these but it is
hard to follow.

The simple blinded signature model provides a pretty simple way to allow
only one pseudonym per True Name in a given forum, if you assume there is
some way to distinguish people in the real world.  Suppose Cypherwonks
wanted only one person per nym.  And suppose there was an agency which
was able to distinguish people, that is, it could tell when it had seen the
same person twice.  Now, Cypherwonks asks this agency to give a single
blinded signature of a type (exponent) which is unique to that list, to
anyone who wants it, but such that nobody gets more than one.

To be accepted on the Cypherwonks list, then, somebody would have to show
a signature of this particular type, different from everyone else's.  Each
person could only get one such token, which Chaum has called an is-a-person
credential (again, this is a simplification of his idea, I think).

Now tmp has what he wants, the ability for a list to have only one nym
per person.  And in such a situation, negative reputations are important,
because you only get one chance and can't start over with a new nym.

> could such a negative signature system be constructed? it seems possible
> with a centralized `trusted' server, but this is not an ideal solution;
> ideally one would like the system to be possible from the independent
> interactions of people who trust only themselves. this of course is the
> ideal cryptographic model, and the very best and finest algorithms
> (e.g. rsa) conform to it. 

Well, you have to trust that the agency which is verifying uniqueness of
identity doesn't cheat.  But note that the agency does not get any great
privacy-infringing power, as they don't have to know the True Names or
identities of the people they are endorsing, and they don't know their
pseudonyms (since those are blinded when they are signed).

> the problem is similar to preventing double
> spending in a cash system. how do you enforce that a person `spends'
> a certain amount of information? there are no `laws of the conservation 
> of information' as their are of e.g. mass as with a paper currency. in
> fact maybe the double-spending preventative techniques for cash systems
> could be translated to get a negative reputation and prevent people from
> not displaying credentials, even negative ones, they have accrued (just
> in the way people are forced to reveal if they are `printing money', i.e.
> spending spent money)

Chaum did, as I said, have some concept about revealing negative
credentials, perhaps along the lines you are suggesting.  As I followed his
ideas (which wasn't very well), you would have to submit an "I'm not a
jerk" credential with each posting, and the only way to get another
such token would be to get back a response from your posting saying, "OK,
you're still not a jerk."  But if you posted some trash ("Death to
BlackNet") then you wouldn't get back that "OK" token and you'd have lost
your "not a jerk" token for good.  This would work best in a situation
where there was one nym per person, otherwise he could use his other nyms
to endorse his worthless trash.

(I posted a variation on this idea a couple of weeks ago as a way of
handling anonymous remailer complaints without breaking the anonymity of
the remailer user.  A similar token-and-response system was used, also
based closely on the blinded signature system in Magic Money.)

> personally i like chaum's emphasis (or recognition) that forums exist 
> such that restricting pseudonymity in them is natural, fair, 
> and rational, i.e. a desirable design goal. it seems to me that even 
> beyond this, people should be able to construct forums where they demand 
> (or comply, or agree, or whatever) that identity be known, or that it 
> be totally ignored. given all this inquisitional witchhunting of my 
> `true identity' (whatever the !@#$%^&* that is), obviously this forum 
> is in the former category <g>

Well, Larry, you have to realize that you caused us enormous hassle
several months ago, so it's natural that people will be somewhat hostile.
Other pseudonymous posters have not stirred nearly so much interest
(with the possible exception of Xenon, who had some of your own tendencies
to rant at length).  However, in your new incarnation I find your postings
much more interesting.

> what do you think, cpunks, should you have the right to ignore people
> regardless of the pseudonyms they use? again, i ask if it is possible
> to construct a system that protects anonymity but at the same time allows
> someone to filter all pseudonyms associated with another person. it seems
> that we have reached an impasse -- these are two very useful design 
> criteria but they appear to be contradictory. on one hand we would like
> to censor all the `d-type' pseudonyms, but on the other hand we would
> want a `clean slate' for all of our own.

Chaum has some discussion about how you can go to library A and borrow a
book, proving that you have no overdue books at libraries B, C, D, ...,
without compromising your anonymity.  This sounds analogous to proving that
you have no negative credentials from other cyberspace forums.  Unfortunately,
this is a part of his paper I need to read more times to understand.

Hal