[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Non-anonymous remailers



At 04:15 AM 5/15/98 +0200, some allegedly anonymous person wrote:
>Recently a new technology has been proposed: non-anonymous remailers.

Feh - anybody who wants non-anonymous remailers should include his name :-)
On the other hand, perhaps the allegedly anonymous author didn't
believe the purported name of the alleged proposer, or chose to
phrase the proposal in the exculpatory passive voice.

>A non-anonymous remailer separates the two traditional functions of the
>remailer network: anonymity and avoiding traffic analysis.  Because the
>network provides both of these features, some people may not be aware
>that they are distinct.

Good point.  

>A non-anonymous remailer avoids traffic analysis but does not provide
>anonymity.  The recipient can tell who the sender of a message is,
>but no one else can, neither the remailers nor eavesdroppers.
>
>There are several ways to achieve this cryptographically.  The general
>idea is that the sender of the message must sign it with a valid public
>key (one signed by a CA trusted by the remailer network).  This signature
>is hidden from everyone but the recipient because the message is encrypted
>for the recipient.  However the sender can use variants of zero knowledge
>proofs to demonstrate that inside the encryption there is a signature
>which satisfies the requirements.

Overkill, and inadequate.  Let's start with overkill:
- If you require all outgoing email to be encrypted,
  you don't have constructive knowledge that your system
  is being abused.  Legally, that should be significant protection;
  rules about not being liable for things you don't know you did
  are much harder to change than rules about things you know.
- Posting a big sign requiring conformance with policies,
  backed up by occasional action against violators,
  helps establish your presumption of good character.
- Requiring all outgoing mail to be encrypted makes spamming
  much more difficult (today), though in the Great Cryptographic Future,
  when everybody has at least one easily-located public key,
  that's less effective - but even then it significantly increases
  the workload for the spammer (though Moore's Law makes that less
  relevant, and good Crypto APIs make development of spamware easy.)
  It doesn't stop harassers, but it does reduce spam.
- A few Supreme Court cases, such as Talley and McIntyre,
  protect the right to anonymous speech, including commercial,
  so the proposed law has a high bogosity index.

For inadequacy, there are a variety of problems:
- Zero-knowledge proofs can at most verify that there's an identifier
  in some defined format or from some accessible list of keys.
  They can't verify that the message really came from
  the homeless person who allegedly sent the mail, nor that the
  address, phone number, or email named can locate a real body.
  They also tend to need special forms for the data, which may not
  work for CA-format key signatures.
- ZKPs aren't very useful for identifying the insides of 
  multiply-encrypted data - so they only give you one hop at a time,
  and only for cooperative remailers in cooperative jurisdictions.
- Protocols that provide information about the insides of
  an encrypted message are notoriously hard to make both
  secure and useful.

>Non-anonymous remailers would be suitable for cases where people do
>not want eavesdroppers to know with whom they are communicating, but
>where they don't need to be anonymous to their communication partners.

Distinctly true, though the easiest way to achieve that is to
separate the two problems, providing solid privacy protection
outside and letting the users sign the inside message if they want.

				Thanks! 
					Bill
Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639