message pools revisited

[jim@bilbo.suite.com (Jim Miller)]

Someone once said that a system of remailers is as strong as its  
STRONGEST link.

"As long as even ONE remailer in the chain is trustworthy, hiding the  
connection between incoming and outgoing messages, your anonymity is  
preserved."

While I agree with this in principal, I'm still not satisfied.  I  
want a remailer system that is secure from eavesdropping and traffic  
analysis even if ALL remailers are untrustworthy.

You might ask why I am not satisfied with current remailer designs.   
My unease stems mostly from irrational fears and distrust of the  
people running the remailers.  I don't personally know any of the  
people who are running remailers.  How can I be sure they are not  
colluding?  How can I be sure their machines haven't been penetrated  
by the Bad Guys?  It may be true that the remailer system is as  
strong as its STRONGEST link, but how do I know where that strongest  
link is?  As long as there is any doubt, I'm not satisfied.  Others  
may feel the same, and refrain from using remailers.

With sufficient traffic, messages exchanged via a message pool are  
secure from eavesdropping and traffic analysis, even if the message  
pool is untrustworthy.  The problem is, the message pool schemes I'm  
familiar with (admittedly, not that many) don't scale up well.

One kind of message pool works like a mailing list.  People subscribe  
to the message pool by sending the message pool server their e-mail  
address (and perhaps also a public-key).  A member of the message  
pool sends an anonymous message by encrypting it with the recipient's  
public key and sending it to the message pool server.  The message  
pool server sends a copy of the encrypted message to every member of  
the message pool service.  Only the person who has the corresponding  
private key will be able to decrypt the message.  All other members  
of the pool will get garbage.  One benefit of this type of message  
pool is that the messages come to you.  You don't have to go and get  
them.  Also, if an encrypting remailer is a member of the message  
pool service, then members can "route" messages through it to  
non-members.

Another kind of message pool works like a BBS system.   A person  
sends a message by encrypting it with the recipient's public key and  
sending it to the message pool server.  The message pool server adds  
the message to a pool of messages it maintains.  Messages stay in the  
pool for a finite time, and then are deleted.  People periodically  
downlaod the current set of unexpired messages from the pool and see  
if they can decrypt any of them.  If they find a message they can  
decrypt, then the message was meant for them.  The advantage to this  
scheme is that there is no concept of a "member".

Some time last year, before I joined the cypherpunks mailing list, I  
posted a message to sci.crypt suggesting that people create a news  
group called "alt.crypt.messages" so people could exchange messages  
anonymously.  Some people said this was a good idea.  Others said  
that it was suggested before by others (it had).  Still others said  
it wouldn't work because people wouldn't carry the news group because  
they wouldn't be able to know what kind of stuff was being sent  
through it.

I think it is time to ask again.  Do people think it would be a good  
idea to create a news group for exchanging anonymous messages?   
Alternatively, perhaps some cypherpunks with free time would like to  
code up a simplified distributed message pool service modeled after  
USENET.  You would need servers to distribute the messages and  
front-end "reader" apps to simplify searching for messages destined  
for you.  Any takers?

Jim_Miller@suite.com