On Mon, Mar 31, 2014 at 12:11 PM, Ximin Luo <[email protected]> wrote: > On 30/03/14 17:31, Trevor Perrin wrote: > >> * The server's storage of used values is unlimited over time, but >> grows at a small rate, and could possibly be scoped by introducing >> more complexity (e.g. rotating epochs). >> > > Instead of storing used tokens, you could store *unused* tokens and delete > used tokens. To authorize a sender, the server checks to see if their token > is *in* its store, then deletes it if succesful. To revoke, Bob tells the > server Alice's tokens as before, but now the server deletes them instead of > storing them.
That's interesting. It solves the "unbounded storage" problem, but it also means Bob can't just share a MAC key with his server, he has to tell it in advance about all the one-time signing keys he's distributed. And if Bob isn't careful, the rate at which he publishes new keys to his server might reveal new contacts, or the rate at which contacts are sending to him. Hmm. > In summary, to achieve "Bob's server can't recognize messages from the same > sender" we have two broad options: > > - every messages looks to be from the same sender (group sigs) > - every messages looks to be from a new sender (send auth-tokens) > > From a not-too-deep think through, I'm not sure there are other options. Note that just sending unique auth-tokens alongside the message isn't enough, I think the tokens need to be public-key signatures over the message, so that the mailbox server can't make it appear that a contact is spamming you by associating junk messages with valid tokens. Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
