From: Nathan Zook <nzook@bga.com>
Date: Thu, 9 Feb 95 04:09:32 PST
To: cypherpunks@toad.com
Subject: Threat models. [was: Why encrypt intra-remailernet]
Message-ID: <Pine.3.89.9502090648.I21224-0100000@lia.bga.com>
MIME-Version: 1.0
Content-Type: text/plain


 
>    From: Nathan Zook <nzook@bga.com>
> 
>    When I say that the Mark I remailers are laughably easy to crack, I mean
>    laughably easy.
> 
> By whom?  I am hearing a general denunciation of the current remailer
> system.  These blanket denials are false on their face, because they
> are not true in every circumstance.
> 
 
By anyone with the resources to snoop up- and down- stream of all the
remailers.
 
>    The only reason that our systems are actually able to do any good is 
that
>    our threat model _is not_ an LEA--with government resources, and 
government
>    patience.
> 
> _Our_ threat model?
> 
> There is not one threat model.  Each person has their own threat model
> and their own desired level of security.  An individual also desires
> more security for some messages than others.  The current remailer
> network is good for some purposes and bad for others.
> 
> Every evaluation of security _must_ include the nature of the security
> desired, because there is no single concept called "security" which is
> the same in every situation.
> 
> Eric
 
Yes, but...  The very act of going to the trouble of using these remailers
means that you are dealing with someone powerful enough to read past forged
From/From: lines.  Does it take that much more to snoop these sites?  My
gut says no.  Everybody harps chaining.  Does snooping take more effort
than compromising?  I think it would be hard indeed to say so.
 
So if we think Eve can compromise some remailers, and/or read past
From/From: faking, we are, I believe, forced to believe that Eve can snoop
all the remailers.  Threat models need to be uniform in the power of the
opponent.
 
Nathan