From: jdd@aiki.demon.co.uk (Jim Dixon)
Date: Wed, 10 Aug 94 08:05:26 PDT
To: Stu@nemesis.wimsey.com
Subject: Re:  RemailerNet
Message-ID: <4895@aiki.demon.co.uk>
MIME-Version: 1.0
Content-Type: text/plain


In message <2e452e79.nemesis@nemesis.wimsey.com> Stuart Smith writes:
> In article <4068@aiki.demon.co.uk> you write:
> >If you modify the proposed RemailerNet to allow reposting at gateways,
> >you have all of the benefits of the system described above, without
> >the risks.  Reposted messages would be encrypted with the far gateway's
> >public key.  The near gateway would then have no idea of the ultimate
> >destination of the message.  In a well designed system, the far
> >gateway would also not know the identity of the sender.
> 
> But how could we do this if we followed your advice, and did not
> allow the user to select their own chain, as you said
> previously?

I have assimilated criticisms made and modified the proposal.

>	       By making users *trust* the remailnet as an entity,
> you make it possible for that entity to be compromised.

(a) I don't force the users to trust RemailerNet as a single entity,
(b) how does their trust make it possible for the entity to be
compromised??  It is not possible to guarantee that some or all
components of a remailer network are not compromised.  You can
only take steps which reduce the probability.
>							   If the
> remailernet is not one entity, but a large group of independent
> entities, compromise is *much* harder.

It is NOT one entity, is IS a large group of independant (but
cooperating) entities.

> >Any traffic sent through this remailer network would have only a tiny
> >chance of getting through without being compromised.  If you picked
> >5 remailers, the chances of all being non-FBI would be about .2^5,
> >3 in 10,000.  The other 9,997 messages would be copied immediately
> >to Langley.
> >
> >The proposed RemailerNet could be attacked in much the same way.  But
> >if the network were widely distributed so that gateways were in
> >different legal jurisdictions and different countries, and if most of
> >the people involved knew one another, it would be more difficult to
> >compromise it.
> 
> But if the user does not know the people in the remailnet, how
> can he or she trust *them*?

In most cases, you do not want the person operating a remailer to
know you personally.  Ideally, you know them, because they have a
widespread reputation (eg, julf@penet.fi).  But they do not know
you.  As a practical matter, the fewer remailers there are, the
more likely they are to have an accurate reputation, because more
people will have had experience with them.

>			      It's fine and dandy that the
> remailnet operators trust each other, but the point is to give
> the end user anonymity, not to form an old boys club of remail
> operators.  If they all know each other, I do *not* think that
> makes the system more secure, I think it makes it weak.

People have been building systems like this, that involve webs of
trust, for millenia.  Banks are such institutions.  While it is
true that familiarity between trusted individuals makes for collusion,
it also makes for knowledge.  Most people use banks.  Few banks
are corrupt.

A cruder example is the dope dealer.  The police regularly attempt
to compromise them.  Anyone buying dope learns to (a) be skeptical
about all dope dealers but also (b) find one that he can trust and
stick with him.

Dope dealers apply the same sort of heuristic to their suppliers.
They ask around all the time, they listen to gossip, they talk to
their peers.

> As is often stated, a mix-net like this should still be secure
> if some of the remailers are compromised, so could we speculate
> on just how easy or hard traffic analysis is with any given
> percentage of a remailnet compromised?  i.e. if we took it as a
> fact of life that 90% of any announced remailers were
> spook-mills, could we still trust the remailnet if we used
> *long* chains in the hope that our messages would pass often
> enough through *good* remailers to confuse the trail?

RemailerNet v0.2 allows "empowered users" to participate as
equals with established RemailerNet operators.	This means that
the gateway that they are connected to has no way of knowing
whether they are originating any traffic, let alone who that
traffic is addressed to.  The gateway will know that the user is
receiving traffic, but it will not know whether that traffic is
intended for the user or whether the user is simply acting as
a reflector.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Therefore, two users could communicate through a RemailerNet
network with ALL nodes [gateways] compromised, and still be
secure against most forms of attack.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

--
Jim Dixon

[sorry about the delay in answering this posting.  It is dated
7 Aug but I received it 10 Aug]