Jim Dixon analogizes between the Internet and remailer networks. The analogy has some merit, but yet breaks down badly with the very first point: * all packets should be acknowledged This is not the way the Internet works. IP, Internet Protocol, is unreliable. TCP, the reliable stream protocol, does not acknowledge individual packets but rather advancement along a sequence. The lesson is that reliable delivery should be built on top of unreliable delivery. Here the analogy breaks down on technical grounds. With TCP, the destination knows the source, yet in a remailer network this may not be the case. A good first cut, though, would be to forgo reliable delivery for remailer-created pseudonymity and work out a reliability mechanism for regular correspondents. In this case the source _is_ known, it's just that it's not shown on the outside of the message. Further, in email, there's currently no notion of a connection. Email message are much more like datagrams than bit streams. In order to do reliable delivery, there would have to be persistent state information on each side of the communication. If I send a message for the first time to a party and there's no reply, I cannot conclude whether the message was not delivered or whether the message was delivered and not answered. Connection-oriented email would be much more complicated than the current systems. It is, perhaps, time for email to become more complex. * messages should be broken down into packets which are routed independently Length quantization is necessary for security in the face of total network monitoring. Multiple quanta may be warranted in the case of high volume, which is certainly not the case right now. So this point holds. * users should communicate with trusted gateways This point is only half true, because the analogy only subsumes one kind of trust. For remailers there is both trust in delivery and trust in silence, the destruction of the message and information about it. On the Internet the only trust required is delivery; there is not a desiderata in the design (although it's certainly in some people's minds) that packet monitoring _not_ be possible. * the gateways should frequently exchange routing information Again, this works for trust in delivery but not for trust in silence. Eric