Signing Files, but not quite Hashing..?
 

And it occured to me: Is there any way to tag files to tell someone that you ripped them, and they are untampered?

More like a PGP signature? (To identify the source, that is.)

(Not quite hashing. I just want to be able to rip lots of my CD's, and share them, and for someone to know that they are good, and untampered with.)

That would be a definate request of mine, for someone to know that I myself ripped it, so they know its Quality. (And maybe, search by whoever rips things by-category. Say: Music -> By: "User" or Music -> By "User".

Just a thought. Maybe someone else can explain more clearly :)

Edit: The point of the hash being to know exactly who the originator was. Like, when warez says "CLASS" on it, I know its good because it is associated with a warez group that is known for what they do, same idea here.

You know, I was just thinking the same thing today. I'd like to do the same thing with some of the DivX AVIs I make.

The first challenge here is that "By User" wouldn't reference a user name or email address, but rather a public key. Essentially you want to filter your search to those items that are signed by a key you trust. This suggests that Limewire would need a simple key management tool that lets you list the keys of content providers you trust.

As for the signatures themselves, those could be stored in Gnutella as their own items. The description line for a signature could be something like:
"|0fs73jfesa==| signed by |hjfw98\rf430|"

Where the first hash is the content hash of the data item that was signed, and the second hash is the hash of the public key of the signer. The content of this file is the signature itself. Thus, to verify the authenticity of an item, I just search for this description line to find the appropriate signature. Note that this lets multiple people sign the same item, so you can do stuff like threshold checking (e.g., I'll trust this content if it's signed by 2 out of 3 people I trust).

One problem though: if you sign the content you rip,that might make it easier for the RIAA to find you :)

Excellent :)

Any hope of this being implemented?

And if it would make it easier for the RIAA to track down, what, how many files a person has made?

All that would be needed then, is some privacy-enhancing, and a system for filtering out non-genuine Limewire, Bearshare, or whatever clients.

I personally want, what is it, the GDF? (is that the right acronym) to make a large impact on filesharing, and I hope it's not only positive, but large. This is probably my biggest request under "Make Gnutella Faster" and "Make Gnutella Secure" :D

Well the RIAA can't really do anything based on a signature. Anyone can sign any file, so the RIAA can't claim that just because you signed a file, you violated their copyright.

(begin paranoid rant)

What they could do, however, is notice that the community trusts your signature on ripped files, and from that infer that you're somehow aiding in the violation of their copyrights. I'm not a legal person, but I imagine the RIAA might go after those people that the music-sharing community trusts in this way.

Of course, this assumes the RIAA has some way of associating a public key with a person. If you use PGP, your public key is typically associated with your real name and email address, so this is certainly possible. If you're careful to only associate your public key with a pseudonym, this is less of a concern.

(end paranoid rant)

Regardless, supporting signatures on content is still a great idea for non-copyrighted material, such as free software distributions, public documents, and free artistic works.

Here's my thought.

¤ One person permanently sign a file (being the first signer), and then just have sub-signatures of users that will contain not only their signature, but a 0-10 rating of the file.

A common list of guidelines for ranking could be made for different types of media.

(Should/Could there be a limit on sub-signatures per file? 20? 50? 100?)

Signatures should not be able to be removed, of course. Too much room for tampering. Possibly be able to remove your own signatyre, but nobody elses? (there should be a minimum limit of characters of 8, and 2 numbers/symbols in the password)

I would only suppose that signatures couldnt be remvoed from files, mainly because of malicious users. Files that are rated should be averaged to attempt to weed out malicious ratings, and create a fair assesment of the file. Also, your own trusted keys could carry more weight than the public averaged rating (essentially two ratings 1/2 (1 being trusted rating, 2 being public rating)).

Thats what I got so far. I'm prietty sure theres a better way to handle this, soo, if you have an idea, shout it out.

Edit: Whoops, meant to address your issue. Adding many security enhancements to Gnutella would be needed. Some sort of IP masquerading, and encrypted file transfers between users (as i said, SecureIM style (like in trillian). More than just those things, though :)

Then, pseudonyms would keep identity hidden. (I dont have much else, mebbe I should read up on how gnutella works internally, and more info on public key exchanges, and just brush up on this in general).

top 40 project requires searching by hashes
 

We've (2 of us) been thinking about a very related thing:
- Public, non-anonymous, disucssion, ratings, top 40
done through http://one-of-us.org
- File sharing anonymous, non-secure
done through Gnutella, but we need to specify the file somehow
(like a hash.)

- notes: http://top40.one-of-us.org.
- discussion: http://one-of-us.org (search for gnutella)
Please consider checking it out and commenting on it.
I'll continue to monitor this discussion.

Tom.

NiGHTSFTP: Digital signatures can't really be "removed" by anyone -- they're just data that can be verified using a public key. The rating system you proposed has the problem that a malicious user could create a high rating for a file they like and sign it with a bunch of different keys, so it looks like many different users rating the file. It's not clear how to solve this problem.

I think the file authenticity stuff is more interesting and more tractable. It's straightforward to have GNU or RedHat publish their public key on their website and to sign their free software distributions. Users can then check the authenticity of distributions downloaded form Gnutella using those keys. As you suggested, users could even restrict their searches to match only items signed by a particular key.

A lot of work has been done on this sort of authenticated data distribution. In particular, see the
self-certifying read-only file system (SFSRO) and the cooperative file system (CFS).

Similar techniques could be applicable to content stored on Gnutella (although Gnutella can't provide the same load balancing properties as CFS).

trust network for recommending file versions
 

Sajma:
The scheme we recommend (described somewhat at http://top40.one-of-us.org) involves using a non-anonymous trust network to recommend and discuss files.

So there's 2 orthogonal components:
1) legal, non-anonymous, trusted recommendation and discussion:
Much like how open source projects post their public key or the MD5 checksum of files on their site but let you download the file from mirrors or the p2p network.
2) illegal, anonymous file sharing:
Hopefully with the added ability to let you specify the MD5 checksum of the file so that you know that it's really the same file that was highly ranked or recommended.

What about filtering the ratings?

Like: Search-> Category -> Rated 7 or better -> "Trusted Keys Only"

And you could have a small (personal) trusted key database.

Add ability to export, import, merge the key databases. (Trade em with your friends!).