Archives

April 2004 (7)
March 2004 (12)
February 2004 (12)
January 2004 (22)
December 2003 (19)
November 2003 (16)
October 2003 (26)
September 2003 (18)
August 2003 (38)
July 2003 (80)
June 2003 (13)
May 2003 (24)
April 2003 (76)
March 2003 (75)
February 2003 (51)
January 2003 (73)

Category

Family (5)
FYI (18)
Games (2)
Geek (88)
Geographic (3)
Hacks (13)
Home (15)
Humor (54)
Ideas (20)
Ideaspace (15)
Local (15)
Metadata (10)
Microsoft (2)
MovableType (5)
Nitwits (66)
PKI (2)
Politics (22)
Quotes (3)
RDF (15)
RSS (4)
Security (3)
Semantic Web (13)
Site Info (13)
Social Networks (1)
Spam (9)
Sysadmin (1)
Tips (2)
Tivo (2)
TMFTOTHD (1)
To Do (1)
Unlisted (1)
Web (3)
Windows (1)

Local

« MetroBlogs »
DC metroblogs
beltway bloggers

Links

Assorted bits

Blogroll Me!
GeoURL
Listed on BlogShares




May 20, 2003

Email whitelists, p2p and webs of trust

I commented on Julian's site.

Doubtless you know this already, but the problem lies in just how well you 'trust' the other resources. It would be rather easy for a system with a membership to accept inquiries from it's members about other members.

As in, if you belong to group A then you could ask it whether user X also belonged to the group. One safe way to do this would be with SHA1 hashes. You don't ask if the address is known, you only ask if the hash is known. That way you're not feeding the group server with fresh addresses. You're passing it a hash that it can't decode. It can only see if it already knows of an address with that hash.

The downside, of course, is that someone that knows the hashes (and they're not likely to be randomly guessed) would be able to 'tell' if a given user 'belonged' to it. This would allow the opportunity for such services to act as intermediaries between different services. I could ask service A if it knows about user X. Service A would, in turn inquire (unbeknowst to me) of service B. I'd only be getting an answer back from service A. This presumes that I'd trust service A to make such proxies for me. Service A could likewise proxy such requests anonymously. As in, service B only sees the request coming from service A, not from me directly. The assumption there is that the services would likewise trust each other for such things.

What's needed is a web of trust. One that allows checks and balances to be applied, but only as needed. As it stands now there's very little available in regard to decent user interfaces for managing this sort of thing. Much like PKI, I'd want a system like this to be able to invalidate or otherwise require renewals of such look ups. At some point it may come to pass that service A is compromised (marketing droids have taken over) and should no longer be trusted. I'd want this to be something my other services would be capable to providing to me.

Trouble is, how to make this a process that doesn't torment the users?

Spam
Perma  | Comments (0) | TrackBack (0) | 12:33 AM  | xml
Comments
Post a comment






* if you do not leave a valid e-mail or URL your comment may be deleted *







Navigation

Recent Entries

America and Europe: Vive la différence?
Server changes afoot
Diet behavior mod
Googling for sensitive info
Outlook 2003 and IMAP, a marriage made in Hell
Bike to Work Day, May 7th
Speakeasy rocks
Zippo USB?
When geographic data is nowhere 'near' correct
Local campaign contributions

User comments
Trackbacks

Contact

send me an e-mail E-mail
chat with me using MS messenger MSN Messenger
chat with me via AIM America Online
chat with me on ICQ ICQ
chat with me on Yahoo! Yahoo
Add my vCard to your electronic addressbook vCard
Friend of a Friend FoaF

Syndication

XML  RDF  CDF

Comments

XFML

Extra Stuff

foaf
vCard
pgp info
Linked In
Powered by
Movable Type 2.64