Re: [Asrg] My take on e-postage

It's a lot more than that that the stamp vendor needs to keep track
of.  The first thing that comes to mind is that recipients need a
way to check that a stamp hasn't already been used

Not necessary, if the stamp cryptographically includes both the
sender and recipient addresses.


Then the recipient needs a way to check the crypto signature - and even
then, you have to figure out a way that stamps can't get reused with
forged sender addresses.  (That is, X sends mail to Y, with a valid
stamp <X,Y>.  Spammer gets hold of a copy (through any of many possible
means) and sends mail with that stamp, to Y, forging X's address as the
sender.)

But the recipient Y will be able to tell if he's seen the same stamptwice. That's trivial to deal with, especially since most modern MUAs(well, Eudora and Apple Mail, anyway) index their mail archive alreadyby default.

As for verifying crypto signatures, the public key from the vendor isneeded for that, since the vendor issued the stamp. This is, broadlyspeaking, a one-time operation, which happens after the sender vendor'strustworthiness has been looked up. It's also an operation that couldpotentially be offloaded on the recipient's vendor, since the recipientis probably going to send the stamp there for reimbursement anyway.

Another solution is to use a proof-of-work stamp,

There really is no such thing.  Hashcash is not something that can
be attached to a message; it requires an interactive protocol.
(There may be some way to do proof-of-work in an open-loop form, but
I haven't seen it yet.)

Why is this?


Why?  Simply because all the hashcash protocols I've seen outlined, or
that I've thought of, involve some kind of challenge by the recipient
which must be answered by the "payer".  A simple example might be "find
a data blob whose SHA-1 hash has these 20 bits set to these values".

As I said, I don't know whether this is an inherent property of
hashcash (by which I really mean "proof-of-work", even though,
strictly, hashcash is but one form of p-o-w) or whether it's just an
artifact of the hashcash schemes I am aware of.  But until someone
shows me one which doesn't have that property, I have to operate under
the assumption that no such thing exists.

Ah, I see what you're missing. What you need is more like "find a datablob Y, which is different from this challenge X, where both X and Yhave the same first N bits in their SHA-1 hash". The challenge canthen be arranged so that it contains various pieces of informationabout the mail itself, such as the sender, recipient, creation date andtime, and possibly part of the content and/or some of the other headerfields.

This way, the sender and the recipient can both figure out what thechallenge should be (except for the number of bits, but a sensibledefault can be assumed), and the sender can then, with reasonableconfidence about validity, attach the hashcash stamp to the mail. Ifthe sender has previously conversed with this recipient, it will alsohave a priori knowledge of N, improving efficiency.


--------------------------------------------------------------
from:     Jonathan "Chromatix" Morton
mail:     chromi(_at_)chromatix(_dot_)demon(_dot_)co(_dot_)uk
website:  http://www.chromatix.uklinux.net/
tagline:  The key to knowledge is not to rely on people to teach you it.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg