Tim Starling wrote:
Administrators of wikis, forums, webmail and IRC all use IP blacklists as a means to enforce a code of behaviour. Roger counters that server administrators should move from IP-based access control to more secure identification methods such as PKA coupled with credit card authentication. But would that really be a step forward for privacy?
Your answer is precisely correct. We could even require Chinese dissidents (or similar) to fax in a copy of their passport to validate their user account. We could do a lot of things to prevent Tor abuse, but the point is we want to be as open as possible, and we want people to be as private as they need to be, without having grief.
What I recommend is that Tor resolve this problem in this way:
user -> tor cloud -> tor authentication -> tor trusted cloud -> website
If a website complains about a particular ip at a particular time, in the trusted cloud, then tor retains enough information to track it back to the authentication server account. They still have no clue who the original user is, but they can then use whatever methods they want to keep jerks off the trusted cloud -- and then we could treat the trusted cloud like any other dynamic ip range.
--Jimbo