[messaging] Message delivery and revocation in Pond etc
michael at briarproject.org
Thu Apr 3 04:09:24 PDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 30/03/14 17:31, Trevor Perrin wrote:
> Bob and his server share an HMAC key k. Bob distributes to each
> of his contacts a bunch of pairs (x, HMAC(k,y)) where (x,y) are a
> signature keypair (y=g^x).
> Contacts then send (msg, y, HMAC(k,y), sig(msg, x)) to the server,
> which records used values of HMAC(k,y) and rejects them in future.
Is crypto needed here? Assuming secure connections between Bob and the
server, and Bob's contacts and the server, Bob could just upload some
random tokens to the server, and hand the same tokens out to his
contacts; each token would be redeemable for delivery of one message.
Bob would know which tokens had been given to which contacts, but the
To revoke a contact's access, either (a) remove the contact's tokens
from the server (but this lets the server guess how many contacts you
have based on what fraction of tokens you remove), or (b) stop giving
the contact fresh tokens, allow the outstanding tokens to be spent, or
(c) stop giving the contact fresh tokens, connect to the server
anonymously and spend the outstanding tokens yourself.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Messaging