Re: [saag] Liking Linkability

Sam Hartman <> Thu, 18 October 2012 18:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5092F21F84B6 for <>; Thu, 18 Oct 2012 11:51:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -95.712
X-Spam-Status: No, score=-95.712 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bo1qF3V0VkLB for <>; Thu, 18 Oct 2012 11:51:15 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D3EC621F84B5 for <>; Thu, 18 Oct 2012 11:51:15 -0700 (PDT)
Received: from (unknown []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by (Postfix) with ESMTPS id D75E220115; Thu, 18 Oct 2012 14:41:32 -0400 (EDT)
Received: by (Postfix, from userid 8042) id 9D70A4AD5; Thu, 18 Oct 2012 14:41:47 -0400 (EDT)
From: Sam Hartman <>
To: Josh Howlett <>
References: <>
Date: Thu, 18 Oct 2012 14:41:47 -0400
In-Reply-To: <> (Josh Howlett's message of "Thu, 18 Oct 2012 16:08:34 +0000")
Message-ID: <>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "Klaas Wierenga \(kwiereng\)" <>, "" <>, "" <>, "" <>, "" <>, "" <>
Subject: Re: [saag] Liking Linkability
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Oct 2012 18:51:16 -0000

>>>>> "Josh" == Josh Howlett <> writes:

    >> As I once wrote, anonymity should be the substrate. Once you have
    >> that, you can the build on it to be linked when you choose to be,
    >> and not linked when you choose not to be. If it is not the
    >> substrate, then you do not have this choice.

    Josh> +1 -- unlinked must be the default, with the option to
    Josh> link. Anything else is untenable.

    Josh> Josh.

If you're looking for real unlinkability, that implies no

Unfortunately, that rules out a lot of things we generally think of as
good design practices.
It tends to rule out future extensibility, configuration option that can
be remotely observed, and implementation flexibility that can be
remotely observed.

Unfortunately, I think that's too high of a price to pay for
So I've come to the conclusion that anonymity will depend on protocols
like TOR specifically designed for it.

If you're talking about some weak form of anonymity/unlinkability that
does not involve forbidding fingerprinting, I'd like to better
understand what you mean by unlinkability and what the expected
advantages of this system are.  Then we can evaluate whether it achieves