Re: Latency vs. Reordering (Was: Remailer ideas (Was: Re: Latency vs. Reordering))

[Hal <hfinney@shell.portal.com>]

jdd@aiki.demon.co.uk (Jim Dixon) writes:
>In message <199408070216.TAA09025@jobe.shell.portal.com> Hal writes:
>> If this idea seems valid, it suggests that the real worth of a network of
>> remailers is to try to assure that there are at least some honest ones
>> in your path.  It's not to add security in terms of message mixing; a
>> single remailer seems to really provide all that you need.
>Yes, in an ideal world.  Each additional remailer introduces another
>chance of being compromised.

Once again I find myself with an understanding that is exactly the opposite
of Jim's.  I must be missing the point of his network design.  In the remailer
networks I am familiar with, each additional remailer introduces another chance
of being uncompromised, rather than being compromised!  Only if all the re-
mailers in the chain are cooperating and logging messages can they recon-
struct the path my message took.  If any one remailer is honest, my message
is successfully mixed with the others.  A design in which any one remailer
in the chain can compromise the privacy of the user seems to have a very
big flaw.

>But in an ideal remailer network operated by real human beings, you cannot
>trust the operator.  You would prefer that at least the points of entry
>and exit from the network be different, because this decreases the
>probability of the message being 'outed' by a very large factor.  If
>you are seriously concerned about legal factors, you would prefer that
>the remailer gateways be in different legal jurisdictions.

Yes, this makes a lot of sense.  Use different jurisdictions to make attacks
by government agencies more difficult, use multiple remailers in a chain,
etc.  I just don't follow the earlier comment which suggests a different
model of information exposure than I use.

Hal