On 03/04/14 23:26, Michael Rogers wrote:
> On 03/04/14 22:33, Ximin Luo wrote:
>> It took me a long time to finally understand what you meant by
>> this. I'll state it explicitly for others' benefit (since you
>> didn't mention this in the original list of requirements :p):
>
>> - Bob's server knows that {Bob will successfully identify the
>> sender}.
>
>> This is because we don't want even *contacts* to spam our mailbox
>> with random junk, we only want valid messages to be accepted by the
>> server.
>
>> This is dangerous in schemes that separate
>> authorize-sender-to-server vs authenticate-sender-to-Bob, including
>> the one Michael suggested a few messages ago, and including the
>> scheme I suggested in the other branch of this thread, because any
>> of Bob's contacts can do this spamming *without being identified*.
>
> In the scheme I suggested, the recipient would remember which contact
> each token had been issued to, so each junk message would be
> attributable to either the contact to which the attached token was
> issued, or the server - not any other contact.
>
Yes, my wording could have been better, this is a new concept to me. The attack
might seem esoteric, but if we can do better, why take this risk? The server
being hostile is a problem you don't want to be uncertain about, and without
this property, every single junk message raises the question "maybe the server
is hostile, or maybe not".
> AFAICT the same's true for Trevor's single-use signature keys. But I'm
> not sure whether it's true for Pond's group signatures...
>
In Trevor's case, the server would be able to discard non-attributable junk
sent by contacts, because it will fail to verify the signature using k. So if
Bob sees any junk from the server, he knows it is definitely the server not
behaving correctly - either generating junk, or not discarding junk it can
discard. I think it's similar for the group signature scheme.
A contact could send junk *within* the valid message, but then they are
identifiable.
Perhaps the point is more clear if I word it like:
- Bob knows that his server *has the ability to* determine whether {Bob will
successfully identity the sender}, and discard messages that don't fit this
property.
X
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
