From: Sandy Sandfort <sandfort@crl.com>
Date: Wed, 23 Nov 94 07:00:05 PST
To: Cypherpunks <cypherpunks@toad.com>
Subject: Re: REMAILER PROPOSAL
Message-ID: <Pine.SUN.3.91.941123065826.16214E-100000@crl8.crl.com>
MIME-Version: 1.0
Content-Type: text/plain


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                         SANDY SANDFORT
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C'punks,

Lance Cottrell wrote:

    ... The "Electronic Mail Forwarders Guild" is ...
    capable of error. You assume that [the Issuer] would
    appear to be untrustworthy.... If a TLA wished to
    infiltrate us, the traitor would seem very trustworthy,
    gung ho, and paranoid.

Life has risks; the trick is to minimize them.  Yes, the Issuer
could be a weak link.  This only means that the Guild has to be
careful whom it chooses, which security protocols it mandates and
what oversight it exercises.  I have suggested that the job of
Issuer could be rotated.  This would help.

Another step that might be taken is to separate the job of Issuer
from that of Database Manager.  In other words, the Issuer would
take in payment and provide a list of valid Spoon-Es to the DB
Manager, who in turn would cancel the Spoon-Es as they were used.
Under the threat posited by Lance, such a step would make it
necessary for the Issuer, the DB Manager and the first remailer
to collude for their to be a problem.

If your paranoia can swallow that much collusion, than the job of
Issuer could be further Balkanized into three or more jobs.
Beyond these solutions, Lance has proposed a couple of other ways
to reduce the risk he has identified.  All in all, I think my
crude-but-effective suggestion is still the best proposal extant
for a pay-to-play remailer system.


 S a n d y

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~