[Freedombox-discuss] Establishing Communication between Freedomboxes

[bertagaz at ptitcanardnoir.org]

Hi,

Sorry for the lag, a bit busy over here...

On Mon, Jul 04, 2011 at 03:52:05PM -0400, ian at churchkey.org wrote:
> 
> 
> On 07/04/2011 01:02 PM, Daniel Kahn Gillmor wrote:
> > On 07/02/2011 02:24 PM, ian at churchkey.org wrote:
> >> I think the best way to do this is through something like a dynamicDNS
> >> centralized service.
> > 
> > Can you explain why a centralized service is the right way to go here?
> 
> It may not be, but it addresses three problems: 1) how to find other
> people without a face-to-face meeting, 2) how to enforce community rules
> for SPAM and abuse, 3) how to map someone's identity(real, pseudo, etc)
> to a machine address for their FreedomBox.
> 
> bertagaz's proposal, and the one from this weekend about distributed
> hash tables as a DNS-free locator mechanism, are both interesting
> proposals for how to resolve #1 above, and perhaps they are two half of
> the same solution since I am unclear how bertagaz's keyserver model will
> map to physical freedombox locations without an intermediary when those
> locations change as often as residential IP addresses and I am not sure
> how to a machine with physical addresses of other machines stored in a
> DHT converts newly discovered addresses to particular identities.

Sure the GnuPG proposal I made isn't eliminating "intermediaries". The
freedombox key UID would point to DNS names or .onion address.

> > In contrast, a centralized service puts a level of power in the hands of
> > the maintainers of that service -- something that we're actively trying
> > to avoid, if i understand the goals of the project correctly.
> 
> Indeed. I tried to explain the purpose and limit of that power in
> context, but you are quite right that it should be explicitly discusses
> in light of our shared project goals.
> 
> > For example, in your blog post, you explicitly outline a way that such a
> > service could effectively ostracize a spammer or advertiser (albeit
> > without outlining what the policy should be in a contested case).  This
> > same mechanism could be used by a powerful adversary to de-voice and
> > isolate a dissenter or whistleblower.
> 
> For those who did not read the piece, the basic idea is a dynamic DNS
> server with additional capabilities to handle searching for friends and
> making an initial "friend request". You find me on the site, you go
> through whatever vetting mechanism we want on the site, which could be
> nothing or having a verified OpenID address, or whatever else we want,
> and the server gives you my most recent dynamic address plus a little
> crypto token so that when your freedombox sends a "friend me" ping to my
> freedombox's address, I can know how you got that address and deal with
> your request accordingly by sorting it into the right profile or
> dropping it if you don't have the right token and are just a SPAMer,
> etc. From there our servers talk to each other directly and have no need
> to involve the dynamic dns server again unless my address changes and i
> have not communicated a new one to you directly.
> 
> I think it is important to consider that people want a mechanism for
> enforcing community standards of SPAM and abuse. Everything from forums
> to online dating sites rely on having a mechanism for filtering out
> communications and members that push against the community norms. Even
> bittorrent trackers establish rules about the kind of materials that can
> be posted and shared on the system. If we do not want an intermediary
> with power to enforce some of these community norms, we need to think
> very carefully about how to accomplish the same thing at the distributed
> ends of our network because those kind of social norms are at the center
> of people communicate.
> 
> As to the specific example of a whistleblower of political dissenter, I
> don't think the dynamic dns system would have the kind of power
> necessary to isolate such an individual. The centralized server's only
> utility lies in making initial contact with a person and, potentially,
> in updating directions to that person when all other forms of addressing
> have failed. Once you make a connection between boxes, you are free to
> establish whatever other channels you with for maintaining in contact,
> whether that is routine pings with new ip address information, or a
> hidden TOR service for requesting address changes. If a powerful
> opponent were to get an individual's account dropped from one of these
> dynamic dns servers, that should have no impact on the communications of
> anyone who had previously made contact, or with anyone who was simply
> given the new address information after the account deletion. This is
> just a white pages with a privacy screen, not your ISP.
> 
> Since this is just a white pages, there is also nothing stopping
> multiple such sites from operating, just as we currently have social
> networks, online dating, professional connection sites, and personal
> blogs. A politically powerful opponent might be able to stop one of
> these organizations from distributing your contact info, but if we
> design them well enough from a legal and political position, as say
> non-profits operated from multiple countries, it should be exceedingly
> difficult to stop them all.
> 
> By the same token, an opponent politically powerful enough to subvert
> that kind of distributed naming system could just as conceivably subvert
> the existing DNS hierarchy or that of the gpg keyservers.
> 
> > When in doubt, we should avoid infrastructure with this kind of
> > centralized leverage.  too much centralized power already exists in the
> > non-freedombox world.  Let's not replicate those mistakes.
> 
> Agreed, but let's also not overlook the problems solved by a centralized
> architecture as we move away from that centralization. I would love to
> hear some more about how we can publish identity and machine contact
> information through either the keyservers or dht, and particularly about
> how to protect such contact routes from abuse by SPAMers and other forms

Well, in the GnuPG scenario I quickly explained, handling of "disruptive
behaviors", being abuses of a community policy or spam would be handled
collectively by the community I guess. If such a case happens, people
would just have to revoke their signature of the offending peer, thus
getting him outside of their WOT. Where possible, I believe communities
should be in charge of their own policy rather than giving too much power
in the hands of a central authority.

bert.