I've been studying Eric Messick's message. It's pretty complicated and it will take more time to really understand it. I did spot one possible problem. Remailer &V sends to &W an address field that looks like: Addr: w(B), w(Sw, Qw, C, &X, x(C), x(...), pad) but I don't think &V has enough information to create the 2nd item here. The reason for the A, B, etc. keys is, I think, to allow new padding to be done as the message gets passed between each pair of remailers. I think that may need to be used here as well. &V can't put padding into the w(Sw,...) block. As a more general comment, I'd like to see some simpler examples. Eric has shown the most complex case in order to demonstrate that his scheme works for that, but I think more people would be able to comment on it if some simpler examples were provided. How about an anonymous address that is just one hop long, instead of 3, and which is used by the sender without going through any remailers first? I think that would be less intimidating. Another general point, which may be important. Chaum emphasized that his anonymous addresses should be use-once, because if two people send messages to the same anonymous address, someone who has access to the mail goig into and coming out of the remailer will see identical address fields coming out for the pair of messages. I think Eric's scheme has the same property. I have to admit that I don't see that a use-once anonymous address is very useful, but I think we should give this some consideration. I think Eric's use of padding is to defeat just such an attacker, so that there is no message-length correlation between incoming and outgoing messages. If we are going to worry about such attacks, it calls into question the whole approach to anonymous addresses. As one possible corollary, if anonymous addresses were used once then the postage could be supplied by the addressee. This might change the protocol very considerably. Hal Finney 74076.1041@compuserve.com