Re: [saag] Liking Linkability

Ben Laurie <> Fri, 19 October 2012 13:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 60CBD21F868A for <>; Fri, 19 Oct 2012 06:31:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kccpsNRYblrC for <>; Fri, 19 Oct 2012 06:31:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 16B8F21F8685 for <>; Fri, 19 Oct 2012 06:31:09 -0700 (PDT)
Received: by with SMTP id hr7so199012wib.13 for <>; Fri, 19 Oct 2012 06:31:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=cJuJDjS5GQAaFQ2z3LB9isti1fkGBtDjO3o0k4Nuwqk=; b=QNnupJjtVrkFk6Ap7xdaXnMiyiVFTZOEj/Pg7yL/NZLAQX+l4gKDAbgUj84mgo7D7T kNB9kR5DGkcdaIPMg3YrJO6sSgX7wyotlTXjrrrEYfwUyrorVRygX9tqkFyHXCbLax+l +Q26rKAsTcniG6iUPlUeoZI0NEywcoHWU0aDBhKW2JEs8RyfVdEeuyY+ly1+QT0bUJAV pn5t2xc5a9DVaaK5UFiUK1QelO4MB/sIIUUvyIlnyFFKxMfelI6p2bt2BecUZiTCnN5Y bs9nobImOUxug7d9f1lW3HadNzJ0hgDzqzcn/9qp6CG2OjLHsSXUd81SyOYI6Hy779pv 9Mug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=cJuJDjS5GQAaFQ2z3LB9isti1fkGBtDjO3o0k4Nuwqk=; b=AJRgRrSwKK5OsC2HYkF3+C4+/67yAGrPBbmwtZdJ5dFQIOzd+9ru47suF25KAip0zP wuWR9+b+agJOElhWCqtz0XY1wNFg9qHleV2xjVmC4LgFe0Uy4z+1PMl2Zw3amppM0oAs En/LbBYjupOphcfi5LXWJXTdKg2kmcdYEYxl53dSU00Ish4aXjxakK3KVMkZgNsAMB4+ OZNxpbmF0brX8LaOu5DN0UswujwLMbAzZoFivip2xDzk+x2rT6JB1QuMeSkdRw8WPAER gbD/Rbl+M4KN9Q/5Yjmrrx+AHAVPLCdRFHVhquYYdf6drmyMaapjU3EKXNeJHANmwlLs 0CFA==
MIME-Version: 1.0
Received: by with SMTP id g3mr3332413wiz.5.1350653469032; Fri, 19 Oct 2012 06:31:09 -0700 (PDT)
Received: by with HTTP; Fri, 19 Oct 2012 06:31:08 -0700 (PDT)
In-Reply-To: <>
References: <> <> <201210181904.PAA07773@Sparkle.Rodents-Montreal.ORG> <> <> <>
Date: Fri, 19 Oct 2012 14:31:08 +0100
Message-ID: <>
From: Ben Laurie <>
To: Henry Story <>
Content-Type: text/plain; charset=ISO-8859-1
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQlMxBj5GQmy3Lvqbqai2FXXtOpwjmBvVITAhAKVxZGAwMVDTwbp5XM+SIjKjCx3zMzR5dYD3dWjv1zUG305wOk3uz8+9pQf+zf9aRog52p8ymtSIs3svLF2Qg60/aZMyxaSDg9kVEumtFJGweGfM1vtwhBnYZAJo+HOgjd16M0HwT9K3d2d7LyehQaxqsn9HL1/S8BK
Cc: "" <>, "" <>, "" <>, "" <>, Sam Hartman <>, "" <>
Subject: Re: [saag] Liking Linkability
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Oct 2012 13:31:11 -0000

On 19 October 2012 13:01, Henry Story <> wrote:
> On 18 Oct 2012, at 21:29, Ben Laurie <> wrote:
>> On Thu, Oct 18, 2012 at 8:20 PM, Henry Story <> wrote:
>>> On 18 Oct 2012, at 21:04, Mouse <mouse@Rodents-Montreal.ORG> wrote:
>>>>> [...]
>>>>> Unfortunately, I think that's too high of a price to pay for
>>>>> unlinkability.
>>>>> So I've come to the conclusion that anonymity will depend on
>>>>> protocols like TOR specifically designed for it.
>>>> Is it my imagination, or is this stuff confusing anonymity with
>>>> pseudonymity?  I feel reasonably sure I've missed some of the thread,
>>>> but what I have seem does seem to be confusing the two.
>>>> This whole thing about linking, for example, seems to be based on
>>>> linking identities of some sort, implying that the systems in question
>>>> *have* identities, in which case they are (at best) pseudonymous, not
>>>> anonymous.
>>> With WebID ( ) you have a pseudonymous global identifier,
>>> that is tied to a document on the Web that need only reveal your public key.
>>> That WebID can then link to further information that is access controlled,
>>> so that only your friends would be able to see it.
>>> The first diagram in the spec shows this well
>>> If you put WebID behind TOR and only have .onion WebIDs - something that
>>> should be possible to do - then nobody would know WHERE the box hosting your
>>> profile is, so they would not be able to just find your home location
>>> from your ip-address. But you would still be able to link up in an access
>>> controlled manner to your friends ( who may or may not be serving their pages
>>> behind Tor ).
>>> You would then be unlinkable in the sense of
>>> [[
>>>      Within a particular set of information, the
>>>      inability of an observer or attacker to distinguish whether two
>>>      items of interest are related or not (with a high enough degree of
>>>      probability to be useful to the observer or attacker).
>>> ]]
>>> from any person that was not able to access the resources. But you would
>>> be linkable by your friends. I think you want both. Linkability by those
>>> authorized, unlinkability for those unauthorized. Hence linkability is not
>>> just a negative.
>> I really feel like I am beating a dead horse at this point, but
>> perhaps you'll eventually admit it. Your public key links you.
> The question is to whom? What is the scenario you are imagining, and who is
> the attacker there?
>> Access
>> control on the rest of the information is irrelevant. Indeed, access
>> control on the public key is irrelevant, since you must reveal it when
>> you use the client cert.
> You are imagining that the server I am connecting to, and that I have
> decided to identify myself to, is the one that is attacking me? Right?
> Because otherwise I cannot understand your issue.
> But then I still do not understand your issue, since I deliberately
> did connect to that site in an identifiable manner with a global id.
> I could have created a locally valid ID only, had I wanted to not
> connect with a globally valid one.
> So your issue boils down to this: if I connect to a web site deliberately
> with a global identifier, then I am globally identified by that web site.
> Which is what I wanted.
> So perhaps it is up to you to answer: why should I not want that?

I am not saying you should not want that, I am saying that ACLs on the
resources do not achieve unlinkability.

>> Incidentally, to observers as well as the
>> server you connect to.
> Not when you re-negotiation I think.

That's true, but is not specified in WebID, right? Also, because of
the renegotiation attack, this is currently insecure in many cases.

> And certainly not if you use Tor, right?

Tor has no impact on the visibility of the communication at the server end.

> Social Web Architect
> _______________________________________________
> saag mailing list