On 19 Jul 96 22:31:16 -0800, dfloyd@IO.COM wrote:

...

A) Only accept files with valid PGP signatures from accepted keys - this is one area where PGP's commandline interface is a plus - just write a batch script. Demand that a separate file be sent first, signed by a certain key. This file would contain valid filenames for the rest of the session. If a non-listed file is sent, kill the session. This could all be automated with a simple program. You could probably even use SSLs and similar to do it on a website if you could swill the PGP bit - maybe a plugin?

This defeats the purpose of the data haven. If I did stuff like that, then why not use McAffee's WebStor, where you FTP files over to your personal "vault"?

What I was trying to propose was that you provide a key for usage when they first initiate usage of your site. They could then use that key to send stuff to you. Neither party needs to know who the other person is, merely that he is using the agreed upon key. This would let you revoke the keys of offenders.

...

B) bounce trash back.

If someone is shipping through a remailer, how would that help?

I'm assuming most remailers allow 2 way traffic. Alternately, just send email to the remailer operator. Rather than get spammed by the bounceback, he would probably block that site from sending to you... (Or revoke their account entirely)

I plan to make this as anonymous as possible. Reason? Everything else is just posing. I was intending this to be a place that one could be assured of anonymity -- the data haven doesn't even know if the user can use PGP.

I was using PGP as an example. If you really want portable, use that Java PK library and write a custom frontend for it. You just need to use an agreed upon key for verification. Now, if they wanted, a secure method might be using PK-aware remailers - pk channel from you to remailer, using your keys, pk channel from remailer to them, using their keys. This would let you exchange a key securely... Of course, it would involve trusting the remailer operator, but you'd have to do that anyway. // Chris Adams <adamsc@io-online.com> - Webpages for sale! Se habla JavaScript! // Automatically receive my resume or PGPKEY by sending email with a subject // of 'send PGPKEY' or 'send resume'. Capitalization counts so be careful!