[messaging] Security arguments for read receipts

Jeff Burdges burdges at gnunet.org
Wed Nov 4 08:06:46 PST 2015

On Wed, 2015-11-04 at 15:51 +0100, Ximin Luo wrote:
> Also I'm not sure if I understand those definitions properly. For
> example, what's the difference between M0 and R1, and why do you say
> that Pond has R0 and not R1. If Pond has R0, what does R1 even mean
> in that case?

Ms are about what the mail server learns.
Rs are about what the mail recipient learns.

You cannot naively encrypt a multi-use token for for the mail server
and encrypt the senders name for the recipient because a bad sender can
use the proper multi-use token, but keep themselves anonymous from the
recipient by placing garbage there, thus allowing them to DoS your

If you want both M1 and R0 together, then you must somehow encode both
the authorization to the mail server and the encrypted identity of the
sender in the same value.  

Pond need M0 or M1 to hide mtadata from the server.  If Pond did not
have R0, then you could eaily DoS attack someone's Pond mailbox.  R0
ensure that, if you do, then they can revoke you.  Pond has M0 and R0
together because it uses complex & slow pairing-based elliptic curve
crypto.  Single use tokens achieve M1 and R0 much more simply though.  


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151104/0c77d04b/attachment.sig>

More information about the Messaging mailing list