[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SCHEME for FULL-SPEC RETURN PATH



-----BEGIN PGP SIGNED MESSAGE-----


 This is a portion of mail that I sent to bill stewart.  Since bill seems to
 busy to send a critique, could someone else comply, please?

 Jon Boone | PSC Networking | [email protected] | (412) 268-6959 | PGP Key # B75699
 PGP Public Key fingerprint =  23 59 EC 91 47 A6 E3 92  9E A8 96 6A D9 27 C9 6C

- ------- Forwarded Message

Date: Thu, 03 Feb 94 13:45:31 -0500
From: "Jon 'Iain' Boone" <[email protected]>


  How secure do you think this is?

  Three remailers:

  [email protected]
  [email protected]
  [email protected]

  Originator: [email protected] (really igi.psc.edu, as Message-ID: shows)
  Receiver: [email protected]

  ()Ka == contents inside () are encrypted with Public Key of A

  mail addressed to random+*@foo.edu == mail to user [email protected],
					random's mail processor will
					deal with the +*

  The sender must encrypt his/her own address with the public key of the
  first remailer and put it in the X-A-R-P: field.

  Upon reciept of a message with X-A-S-P: set to non-empty, the re-mailer
  will strip off its portion of the address and decrypt the rest with its
  private key.

  It will add itself to the X-A-R-P: and encrypt it in the public key of
  the next remailer on the X-A-S-P:

  If there is nothing in the X-A-S-P: (after having removed its own address),
  then it needs to be sent to the To: address, so we set the From: address to 
  be the contents of the X-A-R-P: with its own address pre- & post- pended.  
  That way, the reciepient need not change his/her mail agent to respond via 
  the X-A-R-P: (or even need to include the X-A-S-P: in the outgoing response).

  If the message doesn't have an X-A-S-P:, the remailer checks the "To:"
  for the contents of what would have been the X-A-S-P: with its own address
  pre- & post- pended.  By stripping off its own address and de-crypting the
  resultant, it has the next address to send it to. 

  Barring wire-tapping, your privacy is susceptible in the logs (syslog, etc.)
  of the first remailer (a.edu in my example) or if all the RSA-keys for
  a.edu, b.com and c.org are broken.  To dampen wire-tapping, you could encrypt
  the contents of the message with padding, making traffic analysis more
  difficult.

  Comments?

  IGI.PSC.EDU:

  To: [email protected]
  X-A-S-P: anon1+"(anon2+"([email protected])Kb"@b.com)Ka"@a.edu
  X-A-R-P: ([email protected])Ka
  From: [email protected]
  Message-Id: <[email protected]>

  A.EDU:

  To: [email protected]
  X-A-S-P: anon2+"([email protected])Kb"@b.com
  X-A-R-P: (anon1+"([email protected])Ka"@a.edu)Kb
  From: [email protected]
  Message-Id: <[email protected]>

  B.COM:

  To: [email protected]
  X-A-S-P: [email protected]
  X-A-R-P: (anon2+"(anon1+"([email protected])Ka"@a.edu)Kb"@b.com)Kc
  From: [email protected]
  Message-Id: <[email protected]>

  C.ORG:

  To: [email protected]
  X-A-R-P: anon3+"(anon2+"(anon1+"([email protected])Ka"@a.edu)Kb"@b.com)Kc"@c.org
  From: anon3+"(anon2+"(anon1+"([email protected])Ka"@a.edu)Kb"@b.com)Kc"@c.org
  Message-Id: <[email protected]>

  ANCHOR.HO.ATT.COM: (Reply) 

  To: anon3+"(anon2+"(anon1+"([email protected])Ka"@a.edu)Kb"@b.com)Kc"@c.org
  From: [email protected]
  Message-Id: <[email protected]>

  C.ORG:

  To: anon2+"(anon1+"([email protected])Ka"@a.edu)Kb"@b.com
  From: [email protected]
  Message-Id: <[email protected]>

  B.COM:

  To: anon1+"([email protected])Ka"@a.edu
  From: [email protected]
  Message-Id: <[email protected]>

  A.EDU:

  To: [email protected]
  From: [email protected]
  Message-Id: <[email protected]>

  Of course, some work would be necessary to accomodate double-blind
  conversations.


-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLV92F4SAMUrxt1aZAQErUQQAggfMfjxAXS0rk9AL5uZTNN9adGNJqMvF
gC5QSlgSki2bmUzfeoq/2cSpdUx7vX9LPCGd88+RnnouyhCDhK0a6fOLGgEDrtar
miKGU11Ernt/bQC6gwvBa+KuD7pceLM2mPGw9NLxLMwwajP/U6CxL2/bMXIQhxZ0
eMTM76QuEwE=
=tfVg
-----END PGP SIGNATURE-----
#