next up previous
Next: Acknowledgements Up: The Eternity Service Previous: Time


The eternity service that we have proposed in outline here may be important in guaranteeing individual liberties against the abuses of power. It is also interesting from the scientific point of view, and the purpose of this paper has been to present it to the cryptology and computer security communities as an interesting problem that merits further study.

Building the eternity service will force us to clarify a number of points such as the nature of secure time, the limits to resilience of distributed authentication services, and the write-once indexing of large databases. The project should also broaden our understanding of anonymity. It appears, for example, that the difficulty of scaling anonymous communications is an essential feature rather than a nuisance; if there were just one channel, the judge could have it cut or flooded.

Perhaps the most interesting aspect of the service is that it might teach us a lot about availability. Just as our appreciation of confidentiality was developed by working out the second- and third-order effects of the Bell LaPadula policy model [Amo94], and authenticity came to be understood as a result of analysing the defects in cryptographic protocols [AN95], so the Eternity Service provides a setting in which availability services must be provided despite the most extreme opponents imaginable.

Ross Anderson
Tue Jun 17 15:08:09 BST 1997