Adam Back writes:
Probably a good rule of thumb is never to sign anything and always post via a mixmaster chain.
Good idea!
Some messages don't need a persistent nym even. Perhaps one could construct a zero knowledge proof of nym reputation rating without identityfing the nym which might be useful for filtering without linkability.
This could be done via some of the recent work on group signatures. Efficient methods have been developed to show that a message is signed by a key, without revealing what the key is, but proving that the key itself is signed by a specific other key. Imagine an editor who only signs keys belonging to people who deserve to get through filters. Call this "endorsing" a key. If you respect that editor, you set your filters to let messages through which are by keys he has endorsed in this manner. Now, people can submit messages anonymously, but in such a way that they are provably written by an endorsed key, without revealing which key it is. The protocols are reasonably efficient, with signature verification taking about 20 times longer than a regular DSS signature. However the methods involve blind signatures, and hence would infringe upon Chaum's patent. The group signature was described at Crypto 97; an extension for blind group signatures at Asiacrypt 98; and more work will be presented at FC 99.