Re: [saag] Liking Linkability

Henry Story <> Fri, 19 October 2012 13:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 087FA21F868A for <>; Fri, 19 Oct 2012 06:46:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ph-WvqodvV31 for <>; Fri, 19 Oct 2012 06:46:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A312A21F8685 for <>; Fri, 19 Oct 2012 06:46:19 -0700 (PDT)
Received: by with SMTP id d4so250502eek.31 for <>; Fri, 19 Oct 2012 06:46:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=8smhACMCB7BhPwKS7jOpB9dpORfXoVbWXjkGwwYKTCA=; b=TEb4h5cg9T2pvZkElxq4yvSYYUj1M03EEP2SEAYQtZpV94Qx/lSTJ6vUkxHU1Rww+m B6q7w3a7qNRwxZEG7JREw77TkDHA61LAYrONy4k//5MgAH17QSXdVPzbnnqt43+X+rJP YFG/hCNUVmZO6d2tMgC8Xc9c5gxWETBStuu2/qw/dBjzc4ZRCg8/nlMIvhFMQZjjfpCQ THdJOqklD+hAX1DhFtqVoM++SxH7gCPXPFcoFrSukw+dlFOP/cdswC2kaHLSOChbKELE L/dKQAsdSXzi8YwvSXa5QZD8a39kx6Z7GI69B/N/XmFzvQpmtIwMDGnvwzIzsM2HtSqx Fp3Q==
Received: by with SMTP id r42mr1971739eep.25.1350654378692; Fri, 19 Oct 2012 06:46:18 -0700 (PDT)
Received: from bblfish.home ( []) by with ESMTPS id z3sm1151178eeo.13.2012. (version=SSLv3 cipher=OTHER); Fri, 19 Oct 2012 06:46:16 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_67F87271-93EA-4689-8738-2E9478DFAEE8"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Henry Story <>
In-Reply-To: <>
Date: Fri, 19 Oct 2012 15:46:03 +0200
Message-Id: <>
References: <> <> <201210181904.PAA07773@Sparkle.Rodents-Montreal.ORG> <> <> <> <>
To: Ben Laurie <>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQkew22TpBGNh5rIwPQCpDqwPBRakgdDuAsb31/3lJv06IYpBAFYf62rB0qwtQ5TyW3IN+bP
Cc: "" <>, "" <>, "" <>, "" <>, Sam Hartman <>, "" <>
Subject: Re: [saag] Liking Linkability
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Oct 2012 13:46:21 -0000

On 19 Oct 2012, at 15:31, Ben Laurie <> wrote:

> On 19 October 2012 13:01, Henry Story <> wrote:
>> On 18 Oct 2012, at 21:29, Ben Laurie <> wrote:
>>> On Thu, Oct 18, 2012 at 8:20 PM, Henry Story <> wrote:
>>>> On 18 Oct 2012, at 21:04, Mouse <mouse@Rodents-Montreal.ORG> wrote:
>>>>>> [...]
>>>>>> Unfortunately, I think that's too high of a price to pay for
>>>>>> unlinkability.
>>>>>> So I've come to the conclusion that anonymity will depend on
>>>>>> protocols like TOR specifically designed for it.
>>>>> Is it my imagination, or is this stuff confusing anonymity with
>>>>> pseudonymity?  I feel reasonably sure I've missed some of the thread,
>>>>> but what I have seem does seem to be confusing the two.
>>>>> This whole thing about linking, for example, seems to be based on
>>>>> linking identities of some sort, implying that the systems in question
>>>>> *have* identities, in which case they are (at best) pseudonymous, not
>>>>> anonymous.
>>>> With WebID ( ) you have a pseudonymous global identifier,
>>>> that is tied to a document on the Web that need only reveal your public key.
>>>> That WebID can then link to further information that is access controlled,
>>>> so that only your friends would be able to see it.
>>>> The first diagram in the spec shows this well
>>>> If you put WebID behind TOR and only have .onion WebIDs - something that
>>>> should be possible to do - then nobody would know WHERE the box hosting your
>>>> profile is, so they would not be able to just find your home location
>>>> from your ip-address. But you would still be able to link up in an access
>>>> controlled manner to your friends ( who may or may not be serving their pages
>>>> behind Tor ).
>>>> You would then be unlinkable in the sense of
>>>> [[
>>>>     Within a particular set of information, the
>>>>     inability of an observer or attacker to distinguish whether two
>>>>     items of interest are related or not (with a high enough degree of
>>>>     probability to be useful to the observer or attacker).
>>>> ]]
>>>> from any person that was not able to access the resources. But you would
>>>> be linkable by your friends. I think you want both. Linkability by those
>>>> authorized, unlinkability for those unauthorized. Hence linkability is not
>>>> just a negative.
>>> I really feel like I am beating a dead horse at this point, but
>>> perhaps you'll eventually admit it. Your public key links you.
>> The question is to whom? What is the scenario you are imagining, and who is
>> the attacker there?
>>> Access
>>> control on the rest of the information is irrelevant. Indeed, access
>>> control on the public key is irrelevant, since you must reveal it when
>>> you use the client cert.
>> You are imagining that the server I am connecting to, and that I have
>> decided to identify myself to, is the one that is attacking me? Right?
>> Because otherwise I cannot understand your issue.
>> But then I still do not understand your issue, since I deliberately
>> did connect to that site in an identifiable manner with a global id.
>> I could have created a locally valid ID only, had I wanted to not
>> connect with a globally valid one.
>> So your issue boils down to this: if I connect to a web site deliberately
>> with a global identifier, then I am globally identified by that web site.
>> Which is what I wanted.
>> So perhaps it is up to you to answer: why should I not want that?
> I am not saying you should not want that, I am saying that ACLs on the
> resources do not achieve unlinkability.

Can you expand on what the dangers are?

>>> Incidentally, to observers as well as the
>>> server you connect to.
>> Not when you re-negotiation I think.
> That's true, but is not specified in WebID, right? Also, because of
> the renegotiation attack, this is currently insecure in many cases.

WebID on TLS does rely on TLS. Security is not a goal one can reach,
it is a way of travelling. So I do expect every security protocol to
have issues. These ones are being fixed, and if more people build on 
them, the priority of the need to fix them will grow faster.

>> And certainly not if you use Tor, right?
> Tor has no impact on the visibility of the communication at the server end.

You really need to expand on what the danger is. Because again
I think you are thinking of the site I am connecting to as the attacker.
But I may be wrong.

>> Social Web Architect
>> _______________________________________________
>> saag mailing list

Social Web Architect