(There has been some discussion of controlling floods on USENET
through mail2news gateways on remailer-operators list recently -- take
a look for example at alt.anon.privacy-server).
On Mon, Feb 25, 2002 at 11:02:47AM +0100, christian mock wrote:
the killer issue ATM seems to be relative CPU performance levels;
athlon/1GHz 378377 hashes per sec
pentium/100 28745 hashes per sec
this means we have a factor of 13 for machines that can reasonably
be expected to be in service today (athlon vs P1/100),
this means that with the proposed 29 bits, it would take about 1.5
hours on the celeron 333, and more than one day on the 486.
So this is indeed a problem.
The other proposal I saw recently here was adapative charging --
charge nothing unless flood is detected, then increase postage
requirement dynamically until the flood is squelched when the flooder
is slowed down to a trickle.
This has a couple of problems -- firstly the sender has no direct
connection to the resource which is setting the price, so it is
inconvenient to find out what value to put on the token. Anyway by
the time the token arrives perhaps the price has increased and so the
mail bounces.
Related to anonymity: anonymous users don't want to direct http
connections or such to find out what the current price is as that will
tend to identify them as remailer users, as well as tending to
correlate their true identify with their anonymous posts due to timing
correlations between the two events.
Some other ideas:
What about is-a-person credentials with some non-trivial purchase
cost. So a new nym would go to a web page do some proof of being
human (type in a number contained in a gif), maybe do some proof of
work (hashcash), and do some mild proof of uniqueness and anti-theft
of credential (mail the credential to the email address given).
If the same email-address is used twice, the user will be refused
another credential.
The user can then use the credential pseudonymously without being
identified. If the user exceeds some pre-defined volume limit on the
resource, the resource revokes the pseudonym.
This has more of the desireed properties: there is some sign-up
over-head for all users, which adds some inconvenience for regular
users, but at least it is only one-off for them. For flooders on the
other hand they can only send some sane limit per day of messages per
nym; and the overhead of creating a whole stream of nyms to make a big
flood is sufficiently inconvenient to make it quite tedious, though of
course not impossible for some truly dedicated person who wants to
spend all day typing numbers contained in images, minting 24hours
worth of hashcash on a normal machine etc.
If you wanted to get fancy you might be able to arrange that if the
nym sent more than a certain volume of messages in a time period his
email address would be revealed.
Thoughts on this?
(The anonymous is-a-person credentials could be built with Chaum's
credentials, or more flexibly with Brands' credentials, perhaps
Wagner's blind MAC based e-cash scheme.)
Adam
