quasi-deniable signing

[John Kane <jkane89@softhome.net>]

Think of the MAC scheme as one example of a 'volatile' sig.
It might be a little easier to follow in this variant:

Suppose someone anonymously publishes
  symmetric_encrypt( K, msg )    [K is a session key]
  encrypt_Bob( sign_Alice( encrypt_Bob(K) ))

Then Bob 'knows' that only he and Alice initially have K,
and since K decrypts the message, Alice is the only one
who could have encrypted it.  Bob can disclose 'msg' to
others, and can disclose K to demonstrate that he was a
recipient of the anonymously-posted message, but that's it.

Unless Bob reveals his private decryption key, he can't prove
that Alice had any knowledge of K, or of 'msg'.  Even if he
does that, he can only show Alice sent him K, and it might
have been Bob himself who 'forged' sym(K,msg).  The essence
of this scheme is that Alice never signs anything derived
from the message content, and only authenticates a shared
secret.  Anyone can generate sym(K,msg), and the signature
is not bound to the message.

(Alice can't send a message with sign_Alice(encrypt_EVE(K))
and sign_Alice(encrypt_Bob(K)) safely, because it allows Eve
to forge sym( K, msg-2 ), intercept Bob's copy of the message,
and impersonate Alice. This scheme's not appropriate for general
multiple-recipient situations.)

 ** ** **

In the other 1-of-N "how to leak a secret" scheme, Alice
needs N-1 other people's public keys to *generate* the
signature, but the resulting signature is public and can
be verified at any time by any person who knows the N
public keys.  Applying the N public keys to the N-part
signature gives the hash of the message, so the signature
is bound to the message in the normal non-volatile way.

Call me silly, but I don't think the OpenPGP protocol really
needs either of these modes as part of the standard.