<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 17 April 2015 at 23:10, Michael Rogers <span dir="ltr"><<a href="mailto:michael@briarproject.org" target="_blank">michael@briarproject.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 17/04/15 18:37, Ben Laurie wrote:<br>
><br>
> On 17 April 2015 at 11:54, Michael Rogers <<a href="mailto:michael@briarproject.org">michael@briarproject.org</a><br>
</span><div><div class="h5">> <mailto:<a href="mailto:michael@briarproject.org">michael@briarproject.org</a>>> wrote:<br>
><br>
> Members should be able to send messages to the group, such that any<br>
> member of the group can verify that a message was written by the owner<br>
> of a particular signature key, but can't prove it to anyone outside the<br>
> group.<br>
><br>
><br>
> Isn't this a fantasy requirement? That is, if I am a member of the group<br>
> and I want to prove it to someone outside the group, don't I just have<br>
> them look over my shoulder?<br>
<br>
</div></div>It's not a fantasy requirement, it's a standard property of MACs. If<br>
Alice and Bob share a MAC key and Alice uses it to create a MAC, Bob<br>
knows that since he didn't create the MAC, Alice must have done. But Bob<br>
can't prove to Carol that it was Alice rather than Bob who created it.<br></blockquote><div><br></div><div>If Carol knows everything Bob knows, then Carol also knows Alice created it. That's my point.</div><div><br></div><div>I don't believe it is possible for Bob to prove there is no Carol.</div><div><br></div><div>All I'm really saying is the property you can have is something a little weaker, as Ximin has expounded on at some length.</div><div><br></div></div></div></div>