On Fri, 30 Aug 2002, Adam Shostack wrote:
I'd like to suggest that while this may be fun, usability and getting millions of users to see that remailers are useful to them is a more useful goal.
I agree, although I fail to see how working on this would interfere with that goal in any way.
The anonymity set provided by the current extant systems is too small to protect anyone against anyone who is willing to kill or disappear people as part of their attacks against the remailers.
I find this disbelievable. I suspect there are many groups which do not have the capability of defeating the remailer system who would still like to see it eliminated. Willingness to kill or disappear people isn't necessarily tied to technical capability, though I agree that entities which can defeat the remailer network without "disappearing" anyone are unlikely to pose a threat to the remops. If our goal is to make remailers harder to defeat, however, beforehand might be the right time to address the problem of "missing remailer operators." (Incidently, I could see this having uses outside the remailer operator world.)
Oh, yeah, and incidentally, if you build this system, the attacker can simply add a bit of rubber hosing to their remop elimination program.
To pry the signing key out of the victim? That's a personal "how much torture can I take" question for the victim to ask himself. He knows he'll be permanently disappeared after coughing up the private key. In many cases also it might be far harder to rubber-hose someone than simply cause an "accident". -MW-