I would imagine that any shared mailboxes should be capped to force mailbox rotation at the exact same time. Once a mailbox hits a predetermined limit, all the peers refuse to accept additional messages. Basically the exodus of users from a mailbox should happen all at the same time. Those users then randomly choose any of the other new mailboxen out there being formed. You would never be with the same cohort from one mailbox to the next. A few hundred randomly allocated and rotated monthly should help. I need to go back through that presentation again. Anyone thinking about anonymity should read it. It's brilliant.
The other thing we need is a way to easily handle multiple keys so that if one key is comprimised then we only get up a small amount of data. Ideally we would want one key per contact, but this of course would be prohibitively expensive computationally because I'd have to compare every message in that 10GB against every key I have per person. However being able to have maybe a half dozen public keys randomly distributed among your contact list would help. A totalitarian government forcing key disclosure with the threat of jail time would have to have all your public keys to determine whether or not you have disclosed all the information you have received. This would do the same for shared mailboxes as Truecrypt did for deniability that additional partitions exist. You can even distribute your keys among the different bootable Truecrypt volumes you have.
At the end of the day, public key disclosure shouldn't be a lookup but a give a key, get a key system. Basically, I would submit a new public key to you via some secure web interface
which would deliver a one time message to you at the shared mailbox you're using. At some later date, you generate a new public key for communicating with me (or use one of your current keys in rotation) and send me a message that contains the address of the mailbox I'm currently using and that key which I should use until I revoke it or issue a new one.
Ultimately we need a system that disguises how many people we are communicating with, partitions those people with multiple keys, that affords me plausible deniability since an attacker wouldn't know how many keys or mailboxes I'm using and where the level of security I am afforded is only bounded by the disk space, bandwidth and CPU time I'm willing to throw at the problem. This scales with paranoia.
On top of that we need a system that provides us temporal security. If all my files and communications are partitioned cryptographically by date, I can aquiesce to a warrant that specifically details the dates in which they are interested instead of giving them everything I have. If they have a specific crime they are investigating (which they should have), then they should be able to state the specific date ranges that contain the evidence they are looking for. This prevents fishing for dirt.
I think forward security is the equivalent of temporal security, in a sense. You can't give anything from past, unless you saved it. The problem it does need secure key exchange, which only work over low latency networks, and low latency anonymity networks, like TOR , have their limits. In a similar fashion , i'm not sure how key exchange for temporal security will work over mail.
Regarding multiple keys: Using multiple emails/nym accounts gives you that.
The other thing we need is a way to easily handle multiple keys so that if one key is comprimised then we only get up a small amount of data. Ideally we would want one key per contact, but this of course would be prohibitively expensive computationally because I'd have to compare every message in that 10GB against every key I have per person. However being able to have maybe a half dozen public keys randomly distributed among your contact list would help. A totalitarian government forcing key disclosure with the threat of jail time would have to have all your public keys to determine whether or not you have disclosed all the information you have received. This would do the same for shared mailboxes as Truecrypt did for deniability that additional partitions exist. You can even distribute your keys among the different bootable Truecrypt volumes you have.
At the end of the day, public key disclosure shouldn't be a lookup but a give a key, get a key system. Basically, I would submit a new public key to you via some secure web interface which would deliver a one time message to you at the shared mailbox you're using. At some later date, you generate a new public key for communicating with me (or use one of your current keys in rotation) and send me a message that contains the address of the mailbox I'm currently using and that key which I should use until I revoke it or issue a new one.
Ultimately we need a system that disguises how many people we are communicating with, partitions those people with multiple keys, that affords me plausible deniability since an attacker wouldn't know how many keys or mailboxes I'm using and where the level of security I am afforded is only bounded by the disk space, bandwidth and CPU time I'm willing to throw at the problem. This scales with paranoia.
On top of that we need a system that provides us temporal security. If all my files and communications are partitioned cryptographically by date, I can aquiesce to a warrant that specifically details the dates in which they are interested instead of giving them everything I have. If they have a specific crime they are investigating (which they should have), then they should be able to state the specific date ranges that contain the evidence they are looking for. This prevents fishing for dirt.