On Mon, Feb 17, 2014 at 11:56 PM, Brian Warner <[email protected]> wrote: > On 2/15/14 4:50 PM, Trevor Perrin wrote: > >> During an offline meeting, users would exchange their long-term >> fingerprints. They would then enter the other party's fingerprint into >> their app, which would perform some pre-rendezvous steps: >> - Retrieve the other party's introduction cert by querying one of the >> mirrors. > > Would that require some sort of PIR protocol? Seems like the mirrors > could learn who's interested in whom at about the same time, and thus > deduce the connection.
Hmm, good question. The directory would learn: "a Tor user is interested in Alice" and "a Tor user is interested in Bob". These wouldn't be tightly correlated in time, as Alice and Bob might fire up their app at different times after the meeting. If the directory can also monitor users as they communicate with Tor entry nodes, it could attempt end-to-end timing correlation (But this is also true of a rendezvous server with meeting IDs, not just my proposal). Some possible defenses, not sure which are best: - Have all users occasionally send dummy lookups to the directory. - Eliminate the central directory and lookup a party's key at a directory of her choice. So instead of just exchanging fingerprints, Alice and Bob exchange <fingerprint><@directory-name>, and choose directories who they trust not to do these things. - Access the directory over a high-latency mix network, to break up the end-to-end timing correlation. Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
