In article <9501312152.AA10208@toad.com>, <kevin@elvis.wicat.com> wrote:
It seems to me that the current remailer web suffers a fundamental flaw. It is simply too static.
It is worthwhile remembering that a remailer network has two characteristics of service: the fact of delivery, and silence in the internal facts of that delivery. That is, you want your email to get there, but you don't want anybody else to know how it got there. There are correspondingly two trusts in the function of a remailer, namely, a trust in reliability, and a trust in silence. It is very important to remember that only one of these is externally verifiable. Your mail gets to its final location; you can tell that. What you can't tell (external to the remailer) is whether the remailer kept a copy of the mapping between input and output messages. Now, dynamic rerouting is good for better delivery, but is bad for the trust in silence. Trust in externally unverifiable properties is _not_ transferrable. Just because I believe that my regular remailer is OK does not mean you do. The creation of these links of trust is not something that can be automated solely by the remailer operators. The end users of the remailers are the endpoints of this trust relationship. The end users must be involved, either directly or through some (legal) agent, in the manipulation of these relationships. Any solution which tries to do this independent of the end user is broken, by definition. Eric