From: dclunie@pax.tpa.com.AU (David Clunie)
Date: Wed, 25 Nov 92 00:03:49 PST
To: cypherpunks@toad.com
Subject: Re: CypherPunks Mailing list
Message-ID: <9211250803.AA01586@britt>
MIME-Version: 1.0
Content-Type: text/plain


> From yanek@novavax.nova.edu Wed Nov 25 18:20:16 1992
> There always remains the issue of trust.  How can I know that your system 
> has not been compromised, and is logging all in/out messages, and forwarding
> them to FBI.  This could be happening even without you knowing, for example
> if "they" tap your network connection.

Absolutely. This is a problem with any system that involves forwarding. For
instance the currently proposed scheme advocates encrypting the address
to be forwarded too, the remailer server still could have its mail
tapped and the same correlation made. Of course my system seems much weaker
in the sense that if the server is compromised the database is there for
all to see. Of course the other system is just as weak in that if its
server is compromised then someone can get the secret key that decrypts the
addresses using the pass key from the automated software that does the
decryption

My objective was not to provide a high grade of anonymity, rather to enhance
the functionality provided by existing anonymous services with privacy
enhanced mail. Specifically to avoid sysadmins reading your anonymous replies
which are often unsolicited and somewhat dubious or compromising. I think
it achieves the objective but is clearly not going to sustain a concerted
attack on the server by a knowledgeable assailant like the NSA or FBI or
their equivalents in this country.

To my knowledge, being very naive when it comes to encryption, the provision
of anonymity which does not depend on a particular site to do the remailing
(and is hence vulnerable as described) is much less straightforward, not to
mention inconvenient. Perhaps I am overlooking something obvious to someone
more knowledgeable.

david