That is if there is no cost to having multiplexed transactions, unlimited number of public keys, and the delays and limited time windows of CoinJoin or the blockchain + hash check bloat of Zerocoin. I am also thinking of a Visa-scalable block chain. Your naive users will never be using Bitcoin any way, because the blockchain can't scale. By making CoinJoin popular, you will have further cemented Bitcoin's inability to modify the block chain design in this respect (although there may be a way to scale the block chain with multiplexed transactions and unlimited public keys, I am still studying this).
If there is no cost, I am not against it. I am arguing it is lower priority, not that it isn't worth considering if it fits into the big picture goals.
...
...
...
Look at the above. I am happy to have the world know I am giving 5BTC to this effort, and I am happy for Gregory Maxwell to know that it is me where the money is coming from. But why should I give the whole world insight into my finances? With CoinJoin I won't have to use something as convoluted as encrypting an access key, and the proposals above share a common thread of being such that all the actual complexity can be hidden away in software with a sufficiently sophisticated implementation.
So why not have a separate individual BTC pool of capital for those purposes where you explicitly want to be public? Else send him a paypal to his email address. (Personally I wouldn't be announcing publicly my ownership of Bitcoin, because I think the governments are going to demand capital gains taxes in arrears, when they declare it isn't money rather a good like gold).
My upthread solution basically was to use high-latency mix-net (which doesn't exist!) and always be anonymous, else use the centralized banking system.
One problem with my proposed solution is the
fungibility of taint. I had not read the linked thread prior to writing the above, thus didn't realize the gravity of the numerous mentions of "taint" in the OP.
I suppose there are rare cases where you want to give your identity to someone trusted but not the identity of the merchant to your bank. But that hardly seems like a compelling use case to justify such convoluted systems as proposed for CoinJoin.
Another problem with my proposed solution is although it does protect our
privacy, but it doesn't protect our
anonymity in an important use case, which I had mentioned as quoted above. Note some
prior discussion that privacy and anonymity are related but not the same. The case is we want to be anonymous to the banks, i.e. we don't want all our payment history to be known to anyone (perhaps for legal, criminal, and free speech liability reasons), yet we have no choice but to reveal our identity to the merchant in order to use the service. An example is participating in a videochat forum (without a physical disguise) on some topic which is considered amoral, illegal, or threatening in some jurisdictions but not in others. For example paid sex videochat is illegal in some countries but not in others, but I am sure there are many other legitimate examples which are less offensive to readers here.
Without coin laundries, the only way to solve the above is to rely on the merchant to keep your public key secret. The merchant could even set up a server which receives the payment proof via BitMessage (and returns an access code which can be used on the merchant's website), so that the public key storage server's location can't be known by anyone other than the merchant. However the problem is that relying on the merchant is inherently insecure.
Also even if the payer doesn't care about his anonymity and privacy, the merchant might, so taint issue is also to a lesser degree about knowing who to pressure to reveal information about the merchant, i.e. the merchant might protect the identity of his customers well but the customers might not automatically protect their own identities well.
I am now looking at adam3us (Adam Back)'s
ring signature suggestion. What are the tradeoffs of a ring signature approach?
I will re-read this thread and the other one to see if I find the answer. If there is anything to add to what has been already written in the two threads, please do. Especially to make the discussion more readily comprehensible for someone who is mathematical but not well studied in cryptography terminology ("oracles", etc.).