On Thu, Apr 3, 2014 at 3:36 PM, Michael Rogers <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 03/04/14 21:06, Trevor Perrin wrote: >> In Pond, at least, the mailbox/recipient bandwidth is kept to a >> low, roughly constant level over time, to resist traffic analysis. >> >> Thus the recipient can be temporarily DoS'd by a fairly low volume >> of messages. I'm not sure it's feasible to keep the # of >> outstanding tokens so low as to prevent this. > > If anything that makes it easier. There's already a limit on how many > messages each contact can send per day, so the mailbox can be > provisioned to accommodate that many messages.
No, senders contact mailboxes directly (in Pond). There's no limit to how much they can send. It's recipients who maintain a roughly-constant-rate connection to their own mailbox, which is the weak link for DoS. >> My original proposal was for distributing one-time signing keys >> which would work similarly to your tokens, but with the added >> property that the signature would be bound to a particular >> message. > > Yup, I don't see any problem with your original proposal - I'm just > curious about whether we can do something simpler. The cost of one-time signing keys (compared to one-time tokens) seems pretty insignificant to me: The sender stores (32-byte?) signing keys vs (16 byte?) tokens, and calculates a signature when sending a message (which are < 16KB in Pond). The receiver calculates a verification upon receiving a message. The server and receiver could store 16-byte fingerprints of the one-time public keys, so there's not a storage difference there. So it seems worthwhile just to do signing keys, and get immediate, reliable attribution in case of a junk message. Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
