[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
-----BEGIN PGP SIGNED MESSAGE-----
Karl Barrus posted some ideas for running a remailer which requires
payments in the form of digital cash. I have some comments.
> The remailer will work like the others, except valid cash must be
> included or the remailer will not forward the message. For ease, a
> number of bills will be generated upon request, which will then be
> deposited as used. As a side effect, bank accounts will be
> incremented as well (too bad real banks don't work like this) so
> customers may "withdraw" more bills to use for remailing messages.
If I follow this, Karl will allow users to request digital-cash bills
from the bank, then require them to send one of those along with each
remailed message. The bank then puts the bills back into the user's
account(!) leaving him with as much "money" as he started with.
This may be OK for an exercise to get the code working, but to really
have any effect the remailer should not give the money back to the
user as soon as he "spends" it. This makes the whole thing rather
I had an idea which would be a variant of this: make the users send
you a postal-mail letter to authorize issuing another batch of digital
"stamps". The letter could include an email address to send the
stamps to. Maybe you could send 5 stamps per letter.
This would force the user to pay 29 cents each time he wanted a set of
stamps. Unfortunately, he's not paying the remailer operator, but
rather the U.S. government. But it would still limit the ability of
people to swamp the net with large numbers of messages.
(With this system, I would not anticipate that people would have
"accounts", but rather that Karl would just send out the digital stamps
and let people hold it, and use them as they mailed letters.)
> Nathan Estey suggested to me that traffic analysis could be made more
> difficult if messages under a certain length were padded, and message
> over the length were split and remailed a piece at a time. This will
> help, although I think it would be easier for the sender to include
> padding in the message itself (thus identical messages plus random
> padding will encrypt differently). Plus, the message may be multiply
> encrypted and thus padding cannot be added "inside." Maybe future
> mail software will automatically pad in addition to encrypt :-)
Remailers might require standard-sized messages for their operation,
or refuse to pass messages larger than some limit. This, in
conjunction with requiring per-message postage, should eliminate the
possibilities of "volume abuse" which so worried Ted Ts'o. ("Content
abuse" is much less of an issue given the free-speech traditions on
As it turns out, PGP compresses, then encrypts messages (usually):
C = Encrypt (KEY, Compress(M)).
The decryption phase is then:
M = Decompress (Decrypt (KEY, C));
Now, as it turns out, the decompression is self-terminating. That
means that you can add some junk to the message after the compression
phase but before the encryption phase, and it will be automatically
ignored by the decompresser:
C = Encrypt (KEY, Pad (Compress(M), N))
M = Decompress (Decrypt (KEY, C));
(This represents padding the message with N bytes after compression,
then encrypting it.)
I had a patch for an earlier version of PGP which would always pad to
1K byte boundaries using random bytes. It was kind of annoying to use
because it made small messages quite a bit bigger. But I think what
would be very nice would be a utility to encrypt a message which
produced one or more constant-sized files as output. Then you would
want a corresponding program to decrypt which would put the files
together and strip the padding.
This way, all files sent to the remailer would be exactly the same
size, and it could then act as a "Mix", as Eric described, holding a
bunch of files in a batch, shuffling them, then sending them out.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----