[messaging] Message delivery and revocation in Pond etc

Ximin Luo infinity0 at pwned.gg
Thu Apr 3 15:57:36 PDT 2014


On 03/04/14 23:26, Michael Rogers wrote:
> On 03/04/14 22:33, Ximin Luo wrote:
>> It took me a long time to finally understand what you meant by
>> this. I'll state it explicitly for others' benefit (since you
>> didn't mention this in the original list of requirements :p):
> 
>> - Bob's server knows that {Bob will successfully identify the
>> sender}.
> 
>> This is because we don't want even *contacts* to spam our mailbox
>> with random junk, we only want valid messages to be accepted by the
>> server.
> 
>> This is dangerous in schemes that separate
>> authorize-sender-to-server vs authenticate-sender-to-Bob, including
>> the one Michael suggested a few messages ago, and including the
>> scheme I suggested in the other branch of this thread, because any
>> of Bob's contacts can do this spamming *without being identified*.
> 
> In the scheme I suggested, the recipient would remember which contact
> each token had been issued to, so each junk message would be
> attributable to either the contact to which the attached token was
> issued, or the server - not any other contact.
> 

Yes, my wording could have been better, this is a new concept to me. The attack might seem esoteric, but if we can do better, why take this risk? The server being hostile is a problem you don't want to be uncertain about, and without this property, every single junk message raises the question "maybe the server is hostile, or maybe not".

> AFAICT the same's true for Trevor's single-use signature keys. But I'm
> not sure whether it's true for Pond's group signatures...
> 

In Trevor's case, the server would be able to discard non-attributable junk sent by contacts, because it will fail to verify the signature using k. So if Bob sees any junk from the server, he knows it is definitely the server not behaving correctly - either generating junk, or not discarding junk it can discard. I think it's similar for the group signature scheme.

A contact could send junk *within* the valid message, but then they are identifiable.

Perhaps the point is more clear if I word it like:

- Bob knows that his server *has the ability to* determine whether {Bob will successfully identity the sender}, and discard messages that don't fit this property.

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 880 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140403/5efd3cbc/attachment.sig>


More information about the Messaging mailing list