Threat models. [was: Why encrypt intra-remailernet]

[Nathan Zook <nzook@bga.com>]

>    From: Nathan Zook <nzook@bga.com>
> 
>    When I say that the Mark I remailers are laughably easy to crack, I mean
>    laughably easy.
> 
> By whom?  I am hearing a general denunciation of the current remailer
> system.  These blanket denials are false on their face, because they
> are not true in every circumstance.
> 
 
By anyone with the resources to snoop up- and down- stream of all the
remailers.
 
>    The only reason that our systems are actually able to do any good is 
that
>    our threat model _is not_ an LEA--with government resources, and 
government
>    patience.
> 
> _Our_ threat model?
> 
> There is not one threat model.  Each person has their own threat model
> and their own desired level of security.  An individual also desires
> more security for some messages than others.  The current remailer
> network is good for some purposes and bad for others.
> 
> Every evaluation of security _must_ include the nature of the security
> desired, because there is no single concept called "security" which is
> the same in every situation.
> 
> Eric
 
Yes, but...  The very act of going to the trouble of using these remailers
means that you are dealing with someone powerful enough to read past forged
From/From: lines.  Does it take that much more to snoop these sites?  My
gut says no.  Everybody harps chaining.  Does snooping take more effort
than compromising?  I think it would be hard indeed to say so.
 
So if we think Eve can compromise some remailers, and/or read past
From/From: faking, we are, I believe, forced to believe that Eve can snoop
all the remailers.  Threat models need to be uniform in the power of the
opponent.
 
Nathan