From: Jonathan Rochkind <jrochkin@cs.oberlin.edu>
Date: Mon, 20 Jun 94 08:14:05 PDT
To: klbarrus@owlnet.rice.edu
Subject: Re:  MAIL: anon mailing list
Message-ID: <199406201513.LAA19070@cs.oberlin.edu>
MIME-Version: 1.0
Content-Type: text/plain


> Say somebody wants to run a mailing list as you propose.  I think they
> should just run the list at the same address unless the remailers can
> suitably pad, delay, and randomize incoming messages and redirect them
> to the true list site (but then delay and randomization may lead to
> loss of coherency on the list ;).  If not, surely external observation
>of the contact point will show where all the messages are headed.
 
Hmm. I'd think that if the list address were an encrypted remailer
path with several hops, it would be non-trivial to find the contact
point by external observation. Would it even be possible?
Regretably, probably so.
 
An additional layer of security could be having the list address underneath
all of the encrypted remailer stuff be an anon address at the server
in Finland.  Although it's probably quite easy to to determine your
true address by external observation of anon.penet.fi, unfortunately.
Still, the combination of chained encrypted remailer paths, and the
finnish anon server would definitely make it dificult to determine
the contact point. But I guess not as dificult as I had hoped.
 
> The resources needed would be higher than a normal list since each
> incoming message would need to be checked for a digital signature (or
> the list could become victim to an anonymous mail bomber, and you
 
Yeah, quite true. It would be impractical for a very large list. 
At least, if you wanted a list with more then maybe 70 members, you'd
need to dedicate some machine to it, probably. Although maybe not; I don't
want to concede that until it's actually tried to see how much proccesing
power is required in practice. :)
 
And yeah, it would take users who were actually committed to doing it,
as most users of _this_ list (including me), don't even sign their 
messages, as you point out. If we won't even sign our messages, then I don't
know who is going to be willing to sign, encrypt, append remailer path, 
to it. Although I guess if the list required it, as it would, then people
might join the list and do the stuff, just for the principle of it. 
And automated shell scripts certainly help. You could have an automated shell
script particularly for the mailing list that took cleartext, encrypted it
to the list, signed it, appended the remailer stuff to the front, and sent
it off to the proper remailer.