----- Original Message ----- From: "Jim Choate" <ravage@ssz.com> To: <cypherpunks@einstein.ssz.com> Sent: Saturday, August 11, 2001 7:07 PM Subject: CDR: Re: Mixmaster Message Drops
On Sat, 11 Aug 2001, Joseph Ashwood wrote:
Actually you can start with just one trusted remailer.
Bull.
Well technically you begin by granting trust to someone, the easiest being yourself. Then you build trust in something else, use trust in one thing to build trust in another. Regardless you have to establish trust in a single location, before you can build trust in multiple.
If you can get in an personally inspect 1 remailer, or run it yourself,
you
can trust a single one.
Only so long as you have a process to vet its current behabiour against past behaviour.
I'm only worrying about future behavior, the past being something that will never matter again in the behavior of the system, especially since we can't plan on testing "in the past." In this particular case we are only concerned with whether or not it will forward every message sent to it within some very tight bounds so it is unlikely that a non-malicious entity would change the configuration, if the configuration is changed in that respect then it will be detected later on during the testing phase. The issue being that it will represent other remailers as undependable, possibly while making itself look flawless. This is a very difficult problem to solve.
As to remailers you don't operate, you're trust with respect to 'getting in' lasts until you walk out.
But we can build trust in it's ability to forward messages in a way that is for some definition anonymous, in particular the project is to eliminate it's dropping of messages either at random or maliciously, or at least determine which remailers perform the dropping and with what rate.
Once you're gone the potential for re-config'ing the remailer is present.
Which won't matter because the particular behavior we are trying to detect will be reported on if they change, simply by the fact that the messages will be dropped. All we're trying to do is build trust in the ability of a single location to begin an anonymous analysis of the abilities of the others to forward messages without dropping any (save a small ratio). Joe