On 07/04/2011 01:02 PM, Daniel Kahn Gillmor wrote: > On 07/02/2011 02:24 PM, [email protected] wrote: >> I think the best way to do this is through something like a dynamicDNS >> centralized service. > > Can you explain why a centralized service is the right way to go here?
It may not be, but it addresses three problems: 1) how to find other people without a face-to-face meeting, 2) how to enforce community rules for SPAM and abuse, 3) how to map someone's identity(real, pseudo, etc) to a machine address for their FreedomBox. bertagaz's proposal, and the one from this weekend about distributed hash tables as a DNS-free locator mechanism, are both interesting proposals for how to resolve #1 above, and perhaps they are two half of the same solution since I am unclear how bertagaz's keyserver model will map to physical freedombox locations without an intermediary when those locations change as often as residential IP addresses and I am not sure how to a machine with physical addresses of other machines stored in a DHT converts newly discovered addresses to particular identities. > In contrast, a centralized service puts a level of power in the hands of > the maintainers of that service -- something that we're actively trying > to avoid, if i understand the goals of the project correctly. Indeed. I tried to explain the purpose and limit of that power in context, but you are quite right that it should be explicitly discusses in light of our shared project goals. > For example, in your blog post, you explicitly outline a way that such a > service could effectively ostracize a spammer or advertiser (albeit > without outlining what the policy should be in a contested case). This > same mechanism could be used by a powerful adversary to de-voice and > isolate a dissenter or whistleblower. For those who did not read the piece, the basic idea is a dynamic DNS server with additional capabilities to handle searching for friends and making an initial "friend request". You find me on the site, you go through whatever vetting mechanism we want on the site, which could be nothing or having a verified OpenID address, or whatever else we want, and the server gives you my most recent dynamic address plus a little crypto token so that when your freedombox sends a "friend me" ping to my freedombox's address, I can know how you got that address and deal with your request accordingly by sorting it into the right profile or dropping it if you don't have the right token and are just a SPAMer, etc. From there our servers talk to each other directly and have no need to involve the dynamic dns server again unless my address changes and i have not communicated a new one to you directly. I think it is important to consider that people want a mechanism for enforcing community standards of SPAM and abuse. Everything from forums to online dating sites rely on having a mechanism for filtering out communications and members that push against the community norms. Even bittorrent trackers establish rules about the kind of materials that can be posted and shared on the system. If we do not want an intermediary with power to enforce some of these community norms, we need to think very carefully about how to accomplish the same thing at the distributed ends of our network because those kind of social norms are at the center of people communicate. As to the specific example of a whistleblower of political dissenter, I don't think the dynamic dns system would have the kind of power necessary to isolate such an individual. The centralized server's only utility lies in making initial contact with a person and, potentially, in updating directions to that person when all other forms of addressing have failed. Once you make a connection between boxes, you are free to establish whatever other channels you with for maintaining in contact, whether that is routine pings with new ip address information, or a hidden TOR service for requesting address changes. If a powerful opponent were to get an individual's account dropped from one of these dynamic dns servers, that should have no impact on the communications of anyone who had previously made contact, or with anyone who was simply given the new address information after the account deletion. This is just a white pages with a privacy screen, not your ISP. Since this is just a white pages, there is also nothing stopping multiple such sites from operating, just as we currently have social networks, online dating, professional connection sites, and personal blogs. A politically powerful opponent might be able to stop one of these organizations from distributing your contact info, but if we design them well enough from a legal and political position, as say non-profits operated from multiple countries, it should be exceedingly difficult to stop them all. By the same token, an opponent politically powerful enough to subvert that kind of distributed naming system could just as conceivably subvert the existing DNS hierarchy or that of the gpg keyservers. > When in doubt, we should avoid infrastructure with this kind of > centralized leverage. too much centralized power already exists in the > non-freedombox world. Let's not replicate those mistakes. Agreed, but let's also not overlook the problems solved by a centralized architecture as we move away from that centralization. I would love to hear some more about how we can publish identity and machine contact information through either the keyservers or dht, and particularly about how to protect such contact routes from abuse by SPAMers and other forms of contact abuse. -Ian _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
