We've talked about possible hardware security measures, even those that only rely on physical box security. A box that does decryption, mixing, readdressing, etc., without being part of a Unix file system/network, could be a useful "Mom and Pop remailer" (the idea being that small shop owners, "Mom and Pop," could set this up, collect a little bit of spare change as a remailing fee, and not even have access to the internal state of the machine themselves.
While a solution like that would be optimal, even just a version of Mixmaster that can use a secure RSA card would do wonders for security. The secret key is protected in the card and can't be stolen, even by root, without physically stealing the card. As long as the most of the remailers in your chain don't have compromised secret keys, it probably won't matter too much if the individual ops can examine the messages flowing through their remailer. The cards are getting cheaper and can be bought off the shelf (for now). The hardest part of retrofitting existing remailer software would probably be extracting the data from the remailer packet and formatting it properly for the card to do encryption operations on it (and back). andrew