[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

anon.penet.fi fixes



Eric Hughes suggests:

> Currently to mail to person 1234 at penet, you send mail to 
> 
>         [email protected]
> 
> This mail goes out anonymously from the sender, either using an
> existing mail address or creating one.  But if one were able to reach
> person 1234 also with the email address, say,
> 
>         [email protected]
> 
> the behavior could be _not_ to make this posting anonymous.
> 
> To wit, the 1234 indicates that you are replying to a pseudonymous
> recipient, and the anon/name pair indicate whether the sender is
> anonymous.  Thus no change in default behavior, and no new header
> lines.

I'd extend Eric's idea
to say that mail to a non-anonymous address (like Deadbeat's postings to
Cypherpunks) should be shown as coming from "name5877" rather than
"an5877".  Then when we gullibly sent our true email addresses to him,
our Penet anonymous ID's would not be revealed (because the "reply"
command would send to "name5877" which would prevent the double-blinding).

But, what would we do for anonymous Usenet posts (assuming those are
still allowed)?  If they are shown as coming from "an5877" as they
are now, then Deadbeat's trick would work via posting to Usenet.
("Please send your current email address for information on the latest...").
If they are shown as coming from "name5877" then users who are
accustomed to the old way of working will find themselves not being
anonymized when they thought they would be.

Deadbeat suggests:

> Here's a way out that will satisfy me and Johan: assign Alice a new
> pseudonym here and now, one that will be good for replies only.  If
> Alice has registered with the remailer in the past, i.e., if she has a
> password, then she knows how to X-Anon-To:, but has opted not to.  If
> she has not registered, then it is also appropriate to assign her a new
> ID.  However, should she later register, I suggest she be given a new,
> permanent, password-protected ID, just in case her earlier reply
> inadvertently exposed her real ID (in the way we have been discussing).
> 
> In essence, I'm suggesting that the Finnish remailer have two classes
> of anonymous IDs, one that is password protected, and one that is not.
> The former should never be used without the X-Anon-Password header.

A problem with this is that I would have to remember, for each different
anonymous communicant I send to, whether I am using my "password" ID
or my "non-password" ID.  The difference would come down to what method
was used when I initially began communicating with this person.  If
the initial contact was in response to mail they sent to my "real" email
address, then I must remember to use the "non-password" ID for all
succeeding communication, on the theory that they know my real email
address.  OTOH, if the initial contact was to my anonymous address, then
I have to remember to use my "password" ID for all following communication,
so that I don't accidentally reveal my "non-password" ID, which some people
can link to my real address.

From this point of view, part of the problem appears to be the desire
to live in both worlds - the real world and the shadow world.  It will
be hard to keep track of which world each communication is in.

Perhaps Deadbeat's and Eric's ideas could be combined, where mail to
real email addresses would come from "name5877", and replies to such
addresses would use the "non-password" ID.  This might help people keep
track of how to reply to each message.  I still think there is a problem
with how anonymous posts should be labelled, and how replies to such
posts should be handled.

Hal