[messaging] Message delivery and revocation in Pond etc
Trevor Perrin
trevp at trevp.net
Thu Apr 3 13:06:09 PDT 2014
On Thu, Apr 3, 2014 at 12:50 PM, Michael Rogers
<michael at briarproject.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 03/04/14 19:02, Trevor Perrin wrote:
>> I think you want signatures for garbage messages which fail
>> end-to-end authentication but could be used to fill the recipient's
>> mailbox with junk.
>
> I don't see how the recipient's mailbox could be filled with junk by
> anyone except the server. Anyone else would need a token to submit a
> message; tokens are only issued to authorised senders, and the number
> of tokens in circulation is controlled by the recipient, so it can be
> kept within the capacity of the mailbox.
In Pond, at least, the mailbox/recipient bandwidth is kept to a low,
roughly constant level over time, to resist traffic analysis.
Thus the recipient can be temporarily DoS'd by a fairly low volume of
messages. I'm not sure it's feasible to keep the # of outstanding
tokens so low as to prevent this.
>> With signatures a recipient can attribute a garbage message to a
>> particular sender, or to the server (if the message can't be
>> attributed to a sender, e.g. bad signature).
>
> Hmm, good point. How about this: the recipient gives random tokens to
> authorised senders, and the hashes of the tokens to the server. Now
> the server can only send a message by dropping a submitted message and
> stealing its token. If the recipient receives a junk message with a
> valid token then either the sender sent a junk message, or the server
> dropped a submitted message and stole its token.
Sure, but you can't distinguish those cases.
My original proposal was for distributing one-time signing keys which
would work similarly to your tokens, but with the added property that
the signature would be bound to a particular message.
> If we trust the server not to drop submitted messages (which I think
> we must under any scheme) then this works as far as I can see -
> without requiring group signatures.
Yeah, but I think signatures are still a good idea in conjunction with
one-time-use tokens.
Trevor
More information about the Messaging
mailing list