[Cryptography] Thoughts about keys

[Perry E. Metzger]

On Mon, 2 Sep 2013 03:00:42 +0200 Faré <fahree at gmail.com> wrote:
> >> At intervals, the trustworthy organization (and others like it)
> >> can send out email messages to Alice, encrypted in said key,
> >> saying "Hi there! Please reply with a message containing this
> >> magic cookie, encrypted in our key, signed in yours."
> >>
> The cookie better not be a a value that the organization can
> skew with its own "random" source, but be based on a digest of
> consensual data, such as the date (with sufficiently coarse
> resolution), the top of the consensual database (if any),
> public weather measurements from previous day, etc.

I don't understand why. The security requirement is that third
parties must *not* be able to predict the token, because then they
could sign the token without controlling the email address. The only
organization that can know the cookie is actually the organization
sending the cookie out. You appear to have inverted the security
requirement...

> Then, each user can just broadcast his signature
> of the previously unpredictable consensual data,
> and various timestamping organizations can sign messages that say
> "yes, I saw that at this time",
> maybe charging some tiny usage fee in the process.

But then *anyone* could broadcast the token because anyone could have
predicted it.

It is difficult to make the interchange of the token and the reply
itself widely witnessed -- the way around that is to have many
organizations doing the interchanges so that one would have to suborn
all of them.

> After a deadline, the organization publishes
> the definitive merkle tree digest of who was seen on time,
> together with the common salt.

That is part of the envisioned model. Currently I'm looking at how to
take advantage of the work already done on Certificate Transparency.

Perry
-- 
Perry E. Metzger		perry at piermont.com