From: eric@remailer.net (Eric Hughes)
Date: Tue, 31 Jan 95 21:21:38 PST
To: cypherpunks@toad.com
Subject: Re: Frothing remailers - an immodest proposal
In-Reply-To: <199502010253.VAA03904@bb.hks.net>
Message-ID: <199502010520.VAA04884@largo.remailer.net>
MIME-Version: 1.0
Content-Type: text/plain


   In article <9501312152.AA10208@toad.com>,  <kevin@elvis.wicat.com> wrote:
   >It seems to me that the current remailer web suffers a fundamental flaw.
   >It is simply too static.

It is worthwhile remembering that a remailer network has two
characteristics of service: the fact of delivery, and silence in the
internal facts of that delivery.  That is, you want your email to get
there, but you don't want anybody else to know how it got there.
There are correspondingly two trusts in the function of a remailer,
namely, a trust in reliability, and a trust in silence.

It is very important to remember that only one of these is externally
verifiable.  Your mail gets to its final location; you can tell that.
What you can't tell (external to the remailer) is whether the remailer
kept a copy of the mapping between input and output messages.

Now, dynamic rerouting is good for better delivery, but is bad for the
trust in silence.  Trust in externally unverifiable properties is
_not_ transferrable.  Just because I believe that my regular remailer
is OK does not mean you do.  The creation of these links of trust is
not something that can be automated solely by the remailer operators.
The end users of the remailers are the endpoints of this trust
relationship.  The end users must be involved, either directly or
through some (legal) agent, in the manipulation of these relationships.

Any solution which tries to do this independent of the end user is
broken, by definition.

Eric