> By Pond's approach, I think you mean recipients hand out one-time > delivery tokens to their senders, so their mailbox can accept messages > or blacklist senders without learning the sender?
Taking this opportunity to discuss a slight modification to the status-quo at the expense of "forward anonymity". Ponds approach is to generate X private keys and a HMAC of the associated public keys. The sender is given both sets, the receiving server gets the key to the HMAC. The slight modification is to generate the private keys by chaining a hash (only works for things like most ECC where a private key can be created from a hash). So from the initial key x, the next key is H(x) with some implementation specific padding for domain separation. The advantages are a reduction in the token transfer size by up to half (assuming 256bit private and 256bit HMAC), and savings in revocation - you send the next private key to the server and it can revoke all remaining keys (with the option for a TMTO). I don't think this reduces privacy anymore than sending a batch of HMACs to revoke. But it has storage savings for all three parties.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
