[lazide]

Except it doesn’t.

You can still verify the message was signed by the generated (and attached) key, and no other. Aka verify integrity.

If the goal is to be anonymous, then being able to verify it was signed by a given individual is of course fundamentally undesirable no?

You fundamentally can’t be able to both verify a given individual signed something AND have who signed something be actually anonymous. At best you can obfuscate or attempt to hide who signed it, but if you have a candidate you can check. Which means they aren’t really anonymous.

Just not immediately identifiable. If you have a suspect, you can still nail them.

If you generate a new pub/private key pair per post, if desired the poster could retain the private key and still prove they wrote it later - while not being otherwise identifiable if they wanted to remain anonymous.

[lxgr]

> If you generate a new pub/private key pair per post, if desired the poster could retain the private key and still prove they wrote it later

Digital signatures can't prove authorship that way, though. If I write a message m to you, you can be certain that I sent you that message, but not that I was the one who originally wrote it.

> You fundamentally can’t be able to both verify a given individual signed something AND have who signed something be actually anonymous.

Exactly: Signatures without any concept of signer identity don't make sense.

[lazide]

Except they do - case in point:

Ownership of the private key (of the original pub/priv key pair) is as strong a verification of ownership as crypto can provide. And the private key could just as easily be signed by the ‘public’ key pair, which is signed by others if you wanted some web of trust whatever. While not requiring disclosure or external per-key signing or validation of the posting keys.

And someone being able to provide that private key on demand, would allow them to de-anonymize themselves if they wanted, without anyone else being able to force themselves to do so - by say resigning the message with a different nonce/padding, same key pair, same cipher text. So they could, if desired, prove to someone else they wrote it, while not having to disclose the private key.

And they could prove to themselves (trivially) that it was their post that made it intact to wherever it was supposed to be posted. And everyone else could verify the post hadn’t been tampered with, without having a clue who made the post. (And yes, someone could duplicate the post with their key - but the original poster could detect that!).

But no one could force de-anonymize them, or impersonate them in a way that would withstand that verification.

Seems potentially useful, no?

[lxgr]

Ownership of the private key proves exactly ownership of the private key. Sometimes that means you're trusted to make certain statements (e.g. about value transfers in the case of cryptocurrencies); other times that means you can identify yourself in some scheme.

What you definitely can't do with that by itself is prove that you are the author of a message signed with a given key, because anybody else could just sign the same original message with their key, and then send a follow-up message using that same key. How'd anyone know which message, and by extension which key, is the real one?

You need some extra infrastructure to pseudonymously prove authorship, e.g. a secure timestamping service.

[lazide]

I already addressed that situation.

In this situation, ownership of the private key is proof you could have written the message (and no one else could have, unless the key was compromised).

Which from the point of de-anonymizing yourself intentionally is more than good enough.

If you copy and pasted the original from someone else, that doesn’t matter in this situation no? You still ‘reposted’ it as your own.

Since the scenario is someone going after the authors of a post. Or someone who posted showing they were the ones who did the post.

Any timestamps would be provided by the forum the posts are in.

[lxgr]

> If you copy and pasted the original from someone else, that doesn’t matter in this situation no? You still ‘reposted’ it as your own. [...] Any timestamps would be provided by the forum the posts are in.

Oh, you're assuming all of this in the context of an authenticated/tamper-proof communications platform with trustworthy timestamping?

Sure, then your scheme works, but it'd be little more than cargo culting: You don't need any signature scheme at all if you trust the messaging platform :) And vice versa, if you don't, you can't trust it to not tamper with the original "key establishment" message either.

[lazide]

I’m not sure why you seem to be getting wrapped around the axle here.

There is zero need for a ‘key establishment’ message here. The platform has zero need to, or reason to even be aware of the existence of these keys. all it needs frankly, besides a simple WORM style ‘post that has a timestamp’ (with encoded signature + one time use pubkey embedded of course, which can be done compactly and in Base64)..

The only ‘trust’ of the platform required would be that they aren’t tampering with timestamps or arbitrarily changing contents - and even then, the actual impact is quite limited correct? Since it would detect tampering of message contents, and timestamp changes are of dubious impact in most of these scenarios. At most someone could post the same thing as you (or similar) but under a different key - which no one could prove was you and would be anonymous. If there was someone you wanted to be able to verify it was from you, you could easily do so while remaining anonymous to everyone else.

Usenet, HN, IRC, Twitter/X, or frankly any of a number of basic web forums would be fine. Accounts could be disposable, and probably should be to.

That’s the whole point.

None of this needs, or would really benefit from, specialized infrastructure besides some client side scripts that could easily just do cut/paste style interactions of messages to/from whatever medium was being used. I’d bet $20 this could even be implemented using GPG with some scripting.

Unclear why anyone would care while we have major celebrities bleating out the color of their poop and their latest political crimes for all the world to hear though.