Re: [GNU/consensus] [SocialSwarm-D] Fwd: FYI: Securing the Future of the Social Web with Open Standards

[Michael Rogers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 25/07/13 08:58, elijah wrote:
> * Third-party-dropbox: To exchange messages, user A and user B
> negotiate a unique "dropbox" URL for depositing messages,
> potentially using a third party. To send a message, user A would
> post the message to the "dropbox". To receive a message, user B
> would regularly polls this URL to see if there are new messages.

Hi Elijah,

I'm curious about the third-party dropbox idea (partly because I'm
currently working on an HTTP dead drop transport for Briar). It seems
like there are two ways you could do this:

1. The dropbox is shared by multiple users; when user A authenticates
and deposits a message, she tells the dropbox that user B is allowed
to collect the message.

2. The dropbox is only used by one pair of users; when user A
authenticates and deposits a message, the dropbox knows it's for user B.

In either case, the dropbox has metadata about who's communicating
with whom. In case 2, anyone watching the dropbox also has that
metadata. (In case 1, anyone watching the dropbox has that metadata
unless communication with the dropbox is encrypted and padded.)

So I don't see how this technique is metadata-resistant, except in the
short term (NSA has to arrange metadata collection from a new service
provider). What am I missing?

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJR8OLFAAoJEBEET9GfxSfMS18IAIyZb4uFSHh41i6dXgivVP/W
m2N3WuRP3DUAnf846crXGhOyoJrYUqmiuiHFPZp7lQfnKkXai+/pyBjKbIgv0Q8T
WPRfyqDRQ7mEc2mLdh5Z99afh4yEZRuPGyR2hZRwkDLha9CzKIHSlefCPNkU26c8
zJbWhJTifsynOoRvopp2on5nMcEHVxB09Q43g7B0yLxI+zzO5EUF8RbYx7Oj/25P
RHIOPzx0cy7t3xF7OQUEAkA+lfh5roYWjGquJuxzMRGqdx1bzIwHo6PgBnC1uIP1
vRz+7di6LAduRicZAyQYNCbekrJezdxqqFqrTauAIiGTgGfkT0BqRZuw7hLwR5g=
=H/+V
-----END PGP SIGNATURE-----