Tim Starling wrote:
Administrators of wikis, forums, webmail and IRC all
use IP blacklists
as a means to enforce a code of behaviour. Roger counters that server
administrators should move from IP-based access control to more secure
identification methods such as PKA coupled with credit card
authentication. But would that really be a step forward for privacy?
Your answer is precisely correct. We could even require Chinese
dissidents (or similar) to fax in a copy of their passport to validate
their user account. We could do a lot of things to prevent Tor abuse,
but the point is we want to be as open as possible, and we want people
to be as private as they need to be, without having grief.
What I recommend is that Tor resolve this problem in this way:
user -> tor cloud -> tor authentication -> tor trusted cloud -> website
If a website complains about a particular ip at a particular time, in
the trusted cloud, then tor retains enough information to track it back
to the authentication server account. They still have no clue who the
original user is, but they can then use whatever methods they want to
keep jerks off the trusted cloud -- and then we could treat the trusted
cloud like any other dynamic ip range.
--Jimbo