Marc.Ringuette writes: 2. The anonymous message includes a cryptographic "stamped self-addressed envelope" which contains a layered list of remailer addresses encrypted at each layer. This requires modified behavior of remailers; they must be willing to "unwrap" an address-list separately from the message body, and then "wrap" the entire message with the destination's public key, in order to disguise the correspondence between input and output. I think this has been discussed here before. Has anyone implemented it? I strongly suggest that this method be implemented in the cypherpunks remailers. Let's call it the SASE feature. What do you think? I do think this is worth trying. The current remailers will do the "unwrapping" but they won't "re-wrap" in the public key of the next remailer. This means that the incoming and outgoing messages can be easily matched up since the non-address portion is the same. I'll look into trying something like this. One issue is how the remailer finds the public key of the next one in the chain. The simplest way would be for it to simply try a lookup on its PGP keyring using the outgoing email address, and if it matches, encrypt it. You'd want a special PGP keyring for this which had only remailer keys on it. (Or, it might be interesting to encrypt _all_ outgoing mail (even to destinations) if we had a key for that outgoing address. This might increase the utilization of PGP, although users probably would complain!) Even if not every remailer did this, you'd still get pretty good security if several of them did. Hal