On Wed, 2015-11-04 at 15:51 +0100, Ximin Luo wrote: > Also I'm not sure if I understand those definitions properly. For > example, what's the difference between M0 and R1, and why do you say > that Pond has R0 and not R1. If Pond has R0, what does R1 even mean > in that case?
Ms are about what the mail server learns. Rs are about what the mail recipient learns. You cannot naively encrypt a multi-use token for for the mail server and encrypt the senders name for the recipient because a bad sender can use the proper multi-use token, but keep themselves anonymous from the recipient by placing garbage there, thus allowing them to DoS your mailbox. If you want both M1 and R0 together, then you must somehow encode both the authorization to the mail server and the encrypted identity of the sender in the same value. Pond need M0 or M1 to hide mtadata from the server. If Pond did not have R0, then you could eaily DoS attack someone's Pond mailbox. R0 ensure that, if you do, then they can revoke you. Pond has M0 and R0 together because it uses complex & slow pairing-based elliptic curve crypto. Single use tokens achieve M1 and R0 much more simply though. Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
