On 08/26/2013 04:12 AM, Richard Salz wrote: > You need the client to be
able to generate a keypair, upload the public half, and pull down (seamlessly) recipient public keys. You need a server to store and return those keys. You need an installed base to kickstart the network effect.
Who has that?
I know who has that - in spades! The bitcoin network is a public transaction record of bitcoin transfers. The individual accounts are not quite fully anonymous to a determined observer, but nothing we've discussed here would be more anonymous. Anyway, a bitcoin client already generates key pairs, and every transaction stores them in the database. The database is distributed to all "full node" clients, and kept (reasonably) secure using Nakamoto's proof-of-work protocol for the byzantine-generals problem. The maintainers of the database have a vested (monetary) interest in keeping the database secure. Anyway, each "address" is a relatively short high-entropy string (ECC crypto) -- and each client already has an "address book" of public "addresses" (public keys where people can be sent bitcoin payments -- or private messages) and "accounts" (private keys which represent bitcoin that can be sent). In addition, you can ask the client to generate a new "address" (keypair) for you at any moment. The private key goes into your "accounts" as an account with zero balance (and no message history) and a new public key for you goes into your "addresses" as a place where you can receive payments (and messages). There are smartphone clients that don't maintain the full database, but which do maintain the address book, accounts, and address-generation bits for you. There are already solutions for transferring public keys directly between smartphones via bluetooth, which is a convenient channel outside the sphere of Internet eavesdropping. And there is already software that can preprint N business cards (with or without your name/etc on them) that all have different "addresses" on them, so you can hand them out to anyone whom you think may have a reason to send you money (or messages), one address per person. In practice, people need to key in an address for someone once if they are handed a card. Keying it is about the same difficulty as a VIN number on an auto insurance form. Subsequent new addresses for the same person can be sent in a message encrypted, along with any bitcoin transaction, and automatically replace the address you already have associated with that account for your next payment (or message). If Alice doesn't have preprinted cards, she has her smartphone and it can generate an address for her on demand -- She will have to read it off her smartphone screen if she wants to scribble it on a napkin. If we build further email infrastructure on top of this, A side effect of this is that every user has a choice about whether or not s/he will accept messages without payments. You can require someone to make a bitcoin payment to send you an email. Even a tiny one-percent-of-a-penny payment that is negligible between established correspondents or even on most email lists would break a spammer. Also, you can set your client to automatically return the payment (when you read a message and don't mark it as spam) or just leave it as a balance that you'll return when you reply. In short, a private email client can be built directly on top of the bitcoin network. In practice, I think it would be useful mainly for maintaining the distribution and updating of keys, rather than for messages per se, because the amount of "extra" data you can send along with a bitcoin transaction is quite small (3k? I think?). Anyway, it couldn't handle file attachments etc. Bear _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography