[messaging] Recognizing senders of metadata-hidden messages

Ben Harris mail at bharr.is
Wed Jul 29 15:33:13 PDT 2015

On 29 Jul 2015 4:45 am, "Jeff Burdges" <burdges at gnunet.org> wrote:
> I'd consider that a good argument for abandoning S0 in favor of S1, at
> least for normal human messaging.  In what applications do you imagine
> S0 being so important?  Add some pairwise but non-transitive identity?

I'd add a category between S0 and S1, like S0-soft. In a real S0 senders
have totally different "to" information (keys and mailbox id). In S0-soft,
they can have similar, but not be able to_prove_ to one another that they
can communicate with the same person (e.g. sharing the same mailbox ID, but
having different access keys).

If you aren't having single use mailbox addresses, then you HAVE to share
the mailbox address between multiple senders (otherwise the server can
identify senders breaking M0). In this case you can't get a hard S0, only a
"plausible deniability" S0-soft. The implementation has the option of
reducing the size of the mailbox ID at the expense of having more work to
do checking the sender auth (e.g. For Pond, you might have several HMAC
keys registered for a single mailbox, at the extreme having only 1 address
and checking every registered HMAC token - which is somewhat impracticable).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150730/82f578fd/attachment.html>

More information about the Messaging mailing list