Would it have to be public knowledge which message havens a given pseudonym monitors? Suppose I want to get mail to Pr0duct Cypher; don't I have to know which haven(s) to use? If we have only a (few?) hundred people on each haven then this narrows down the pool of possible real user who are behind that pseudonym considerably.
Hal
I must be missing something in this recent debate about "message havens" and "gopherholes." To wit, what happened to the idea of posting anonymously to newsgroups? This is how folks apparently communicated with BlackNet, and it worked (I ought to know). Granted, BlackNet was a small experiment, and message traffic was slight; scaling issues need to eventually be considered, but we're very far from that now. Some points: * Posting to a newsgroups allows piggy-backing on two things: 1. The world-wide distribution (in most cases) of newsgroups. The newsgroups are distributed to zillions of local sites, making attempted analysis of who is checking for messages all the more difficult. 2. Piggy-backing of use of newsreaders. That is, I can use "tin" or whatever to scan alt.w.a.s.t.e or alt.test.gif.ignore for reasonable candidates (more on identifying these below). I can mark some number of them (the ones I really want plus some number of others) for forwarding/downloading/whatever to me. All with existing systems. * How do I know which messages are for me? 1. Maintain the subject line. Not through all remailers, natch. Suggestion: add a field below the "Request-Remailing-To:" line, like so: :: Request-Remailing-To: foo@bar.baz Subject: BlackNet--please read Naturally this would be in the last, innermost encrypted message. None of the earlier remailers could see it. Only the mail-to-Netnews remailer would see it. (A variation: If a Subject line _ever_ is nonblank, it is maintained across remailers. Then the sender can "instantiate" the subject line at whatever stage he wishes and later remailers will "honor" that subject line. Yes, the usual possibilities for abuse, mistrust, etc.) 2. Alternatively, consider a two-part message format: header and body. As Karl, Hal, and others have discussed, a short header (<1K) is still secure but can be decrypted in reasonable time. (This is analogous to the "frame bits," or whatever, that are used to signal the beginning of a message in spread spectrum messages. I don't recollect the exact name of these header bits, but Phil Karn surely will.) Using message pools with existing newsreaders, one can go through all the messages and decrypt the headers. Instead of marking them "read," they essentially get marked as "tried." (For various reasons, I'd recommend calling them "read"--and of course piggybacking on the existing newsreaders.) A two-part PGP format would not be inconceivable. Many messages have multiple parts. (And the Mac uses a "data fork" and "resource fork" format.) And I am unclear on this idea, but it seems plausible that a shortened form of the key agreed upon (the recipient's key) could be used as the title, or the first part of the title. Like the shortened keys ("fingerprints") on business cards and in sigs. (This needs more work, and I may not have explained it here in enough detail. An example may help. Alice wants to communicate with Bob, whose public key she knows (a public key probably generated just for this set of transactions, of course). Its fingerprint is "6h 34 sO 9h 31 gX 3D ....." Alice replies to the pool, and included just the first few digits, or up to half or so. This is enough for Bob to immediately see which messages are probably his (small chance of hash collision), but not enough for others to know his public key (which actually isn't "public" in the conventional sense of being broadcast, though it may be) and thus send their own spoofing messages.) 3. Brute-force. Simply download _all_ messages in a pool and attempt decryption. This may be nearly as fast--and is certainly more straightforward--as the header/body approach. Download the messages and tell your computer to try each one...then walk away and have lunch. Or let it run overnight for truly large batches. Until pool usage gets much larger than it is today, no big deal. And if and when pool usage grows, multiple news groups or pools can be used to increase the "address space." (When the original contact is made, even between anonymous-to-each-other respondents, a "pointer" to another message pool can be made. For example, "Thanks, Unicorn, for responding. Let's continue this in alt.test.images with the subject line of "Just testing this thing--ignore.") 4. Is this bad "Net Citizenship" to use the Usenet this way? Consider that a single jpeg file in alt.sex.pictures may be 5000 lines, and there are many such picture groups, and you'll immediately see that all of the message pool text traffic we could reasonably write in the next 3 years would fit into a couple dozen of these files! (Well, work out the numbers to your own satisfaction--the average Cypherpunks post is 100 lines or so.) 5. I do think the WWW/Mosaic/ftp/lynx approach has merit....and the same points as above apply: - have subject lines, added in only after several remailings have occurred - use a header/body format to allow rapid decryption - possbibly display part or all of the PGP fingerprint, to allow the recipient to see which messages are "his." (I maintain that the public pool/newsreader approach allows for full security; the security comes from the anonymous pick-up of messages, via wide distribution and/or "superset pickup" (your own message plus N others, where N is large or is _all_ messages). Security should not depend on obscurity.) In summary, message pools represent almost no drain on the Usenet or on WWW/Mosaic-type systems. Hence, we should use those systems and piggyback off them whenever possible. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."