[messaging] Pond-like tokens for email (was: TOFU to ease PGP key discovery)

Ben Harris mail at bharr.is
Tue Feb 10 23:38:54 PST 2015

> By Pond's approach, I think you mean recipients hand out one-time
> delivery tokens to their senders, so their mailbox can accept messages
> or blacklist senders without learning the sender?

Taking this opportunity to discuss a slight modification to the status-quo
at the expense of "forward anonymity".

Ponds approach is to generate X private keys and a HMAC of the associated
public keys. The sender is given both sets, the receiving server gets the
key to the HMAC.

The slight modification is to generate the private keys by chaining a hash
(only works for things like most ECC where a private key can be created
from a hash). So from the initial key x, the next key is H(x) with some
implementation specific padding for domain separation.

The advantages are a reduction in the token transfer size by up to half
(assuming 256bit private and 256bit HMAC), and savings in revocation - you
send the next private key to the server and it can revoke all remaining
keys (with the option for a TMTO).

I don't think this reduces privacy anymore than sending a batch of HMACs to
revoke. But it has storage savings for all three parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150211/6cb37671/attachment.html>

More information about the Messaging mailing list