Martin Minow <minow@pobox.com> writes:
Adam Back <aba@dcs.ex.ac.uk> notes that the "Toto death thread" posting was signed using the "son of Gomer" Blacknet key that was broken by Paul Leyland (read through the past few days of the archives to get the context).
Note the `son of gomez' key was _encrypted with_ the Blacknet key. Toto/anonymous was submitting his information for sale to Blacknet, so he used a `digital dead drop' -- encrypted with Blacknet's key and posted in a public place (cypherpunks), however he (it appears intentionally) used the weak 384 bit Blacknet key which Paul Leyland's announce claims was created by Larry Detweiler. Also note that Paul Leyland (and Alec Muffett, Arjen Lenstra, Jim Gillogly) factored that key a _long_ time ago, Jun 1995 (see the Date on the attachment of the announce to one of my earlier posts.) Perhaps you understood that, but what you wrote (son of Gomer Blacknet key?) was confusing.
Adam notes: "Implications? Others had CJs keys? Toto is someone other than CJ?"
One other implication to consider: you might be able to attain semi-deniability by siging a message with a key that is breakable by an adversity with govermental resources (to use an euphamism) but not by an ordinary, presumably less motivated, cracker.
This is similar to the time-delay crypto proposals made by Tim May and more lately David Wagner, (and some other authors who I forget, I think Schneier). One of the time-delay crypto protocols is to encrypt the information one wants to a time-delayed release of with weak encryption requiring the approximate amount of time you wish to delay to break. 'Course it doesn't work in general because it depends entirely on the resources of the attacker. Really you need a third party to publish private keys at delayed intervals. But for your suggested applicatoin -- plausible deniability for `speaking truth to kings' -- it works fine, because that's the point, plausible deniability against well resourced attackers (you are in trouble if well resourced attackers are interested in you anyway), but some value to the signature for low resourced attackers. Other ways to provide plausible deniability is to not sign public posts, and to use non-transferable signatures for private email. Adam