automatic self-blacklisting

[dmolnar <dmolnar@hcs.harvard.edu>]

Roger and I talked briefly about abuse prevention and mixminion. In
particular, we wanted a way for users to automatically add themselves to a
remailer's outgoing blacklist to avoid unwanted anon mail. At the same
time, we did not want someone to forge a user's address and so add him or
her to the blacklist unknowingly.

Here is a way to do it that ensures a user must receive at least one piece
of mail from the remailer before he or she can be added to the blacklist.
An adversary eavesdropping on the user can still forge the user's
blacklist addition request, but we figured that such an adversary could
just cut the user off directly.

0) At key creation time, each remailer picks a random key K. The key is
kept secret for the life of the remailer and never shared.

1) When the remailer forwards the message on to a destination, it includes
the string
	MAC(K, <des_address>)

where MAC is a secure message authentication code (e.g. HMAC)
and <des_address> is the address of the destination.

2) To add himself/herself to the blacklist, the user sends the triple

	("add-to-blacklist",<user_address>, MAC(K, <user_address>))

to the remailer.

3) To remove himself/herself from the blacklist, the user sends the triple

	("remove-from-blacklist",<user_address>, MAC(K, <user_address>))

to the remailer.

An adversary that does not eavesdrop on the user's mail cannot forge
MAC(K,<user_address>). Nor can a user efficiently determine MAC(K,
<user_address>) unless it has received mail from that remailer.

I am a little worried, however, about including the MAC(K, <user_address>)
as an extra header in outgoing messages. For one thing, if the message is
forwarded afterwards, then the recipient can forge the user's request for
addition using the information in the headers. Any ideas?

other comments?

thanks,
-David