Cambridge-only anonymous posting

Camfess runs on blind-signed posting keys.

Authenticate with Cambridge and Camfess automatically mints a local batch of one-time posting keys for you. The server records Cambridge eligibility and cooldowns, but posts are published through blind signatures rather than named accounts.

Sign In With Cambridge AccountView Public Keys

Protocol Shape

  • Authenticate with a Cambridge identity provider.
  • Receive 50 blind-signed posting keys automatically after each refill auth.
  • Use each key exactly once to sign a single post payload.
  • Have the server countersign the published post for public auditability.

Threat Model

  • Boards and media are gated behind Cambridge authentication.
  • Spent keys prevent cheap replay and token reuse.
  • The moderator can reject a post, but cannot safely rewrite it undetected.
  • Timing attacks still exist, so users should avoid posting immediately after minting.