i quite like the anti-spam property of converge that i described yesterday. but it also seems a bit too harsh to prevent all automated initiation of contact. how can we enable some unilateral initiation, as an extra that you specifically need to enable?

in particular, while the data flow in converge is amenable to anonymity, initiating contact shouldn’t be, indeed it should be at least moderately traceable.

so. assuming alice wants a way to initiate contact with bob:

  • bob needs to have invited contact - by generating a public key and listening for contact requests on it
    • there may also be some sort of secret, which carol needs to have
  • bob should receive some information about carol
    • mostly to provide some path for recourse for abuse
    • e.g. the path through the network from carol to bob
      • this allows blocking spammed requests from the same area of the network
  • nodes along the path need to know who carol is
    • in order to route the contact initiation
  • nodes along the path don’t need to know where the request came from or what path it took
    • each node encrypts the previous path to the recipient
    • if the public key on the current path doesn’t match the source of the message, it is discarded
  • nodes along the path don’t need to know who bob is
    • bob signs the request with an ephemeral key
    • carol decrypts the whole path, identifies each node along it, and decides whether to go ahead
    • carol does diffie-hellman with the ephemeral key that bob supplies and derives a master key for a new mutable object
    • now carol and bob can communicate via that object

this does make the data model a bit messier though - the invitation isn’t really data, but i’m not sure what it is. it is at least not subject to man in the middle attacks, assuming that carol has bob’s public key.