[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remailer ideas (Was: Re: Latency vs. Reordering)



The problem of designing a reliable and trusted remailer network is
a generalization of the problem of constructing a reliable Internet and
so many of the solutions can be the same.  The structure of the
Internet has been gone over and over again for twenty years or so
and is probably optimal.

This suggests that
   *	all packets should be acknowledged
   *	messages should be broken down into packets which are routed
	independently
   *	users should communicate with trusted gateways
   *	users should be accessible through a hierarchy of logical names
	which includes the gateway name
   *	gateways should be known to users only through their logical
	names
   *	the gateways should frequently exchange routing information
   *	that routing information should have an expiry date
   *	gateway operators can choose who they announce routing
	information to and accept routing information from
   *	users may have accounts with gateways and be charged for
	gateway usage
    *	gateway operators can settle accounts between each other
	periodically
    *	system software should be obtained [only] from trusted sites;
	to make things simpler, it should be possible to distribute
	bootstrap diskettes that allowed the bulk of the software
	to be downloaded or updated over the net without being
	compromised

Specifically cryptographic elements are easily added to the system
    *	all inter-gateway traffic should be encoded
    *	packets can be delayed for random intervals
    *	routing of packets can be somewhat stochastic; that is, you
	don't generally packets by the quickest route, and the
	choice of forwarding gateway is not 100% predicatable,
	given the destination gateway
    *	packets can be fragmented and padded with noise at random
    *	noise packets can be added at random
    *	route selection, packet fragmentation, and noise generation
	can be continuously adjusted to defeat traffic analysis

The following suggestions raised in recent postings are included
in this scheme:
    *	cjl's MIRV capability (except that it is supplied by the
	system and not the user)
    *	Jidan's noise injection
    *	Rochkind's stability-from-being-paid and web-of-trust notions
    *	Markowitz's automated contacts between mailers
    *	a form of digital postage
    *	Rochkind's pinging

The following are very easily supported by the scheme:
    *	a form of digital cash (the gateway operator would run a tab
	for users, like a credit card company)
    *	digital signatures
    *	message transfer via custom Internet protocols as well as
	via the email system
    *	users could specify the degree of confidentiality required
	and the system would use stronger encryption, increase
	chaff (anti-traffic analysis measures), and restrict use to
	more trusted gateways as required

Where email is used to transfer messages, the format used should be
a subset of that specified in the SMTP RFCs.  Restricting the structure
of the headers would simplify the remailer software at little cost
to the user.

The use of alt.x groups to exchange gateway information does not seem
to add anything to this system; in fact it would seem to make it easier
to spoof the system.

There could be multiple remailer nets, some commercial (paid for)
and some free.	The commercial networks could choose to exchange
traffic with the free networks at no charge.

Commercial remailers would probably be very concerned with legal
issues, both criminal (pornography, etc) and non-criminal (copyright
violations).

--
Jim Dixon