From: nelson@crynwr.com (Russell Nelson)
It seems like it solves two separate problems: 1) foiling traffic analysis, and 2) foiling a cheater remailer. The problems are separate, really, because if you really, really trust the remailer (as many people do Julf), then 2) isn't a problem. All you need to do is solve 1. Or, you can solve 1) by using a single remailer. A necessary but not sufficient step to foil traffic analysis is to strip headers.
There are a couple of advantages of chaining multiple remailers. One is that traffic analysis is an art, rather than a science, and to really foil it, you've got to know how good it is, which is hard. Long-term patterns may show up even though the traffic mixes are pretty good in the short run, and if you can spread out the remailer use and increase the traffic load, plus constantly sending encrypted traffic between remailers, it does make the job harder. If the Bad Guys can isolate their target to a few remailer users, they can often find the real one by rubber-hose or a small number of wiretaps at the user locations instead of the remailers; that's impractical if there are thousands of potential users in multiple countries across the remailer-chain. Another is that if one good trustable remailer can foil traffic analysis, then multiple remailers increases the chance that at least one of them is good. Sure, Julf's a good guy, but what if the KGB has kidnapped his grandmother, or the CIA has planted wiretaps inside his computer - will you know if it's compromised? There's also the reliability issue - what if the Finnish Phone Company decides Julf is using too much of their resources and cuts him off, or the Mafia steals one of your police-informants' remailers, or the California Public Utilities Commission declares email to be a common carrier and insists on auditing all transactions? Multiple remailer in a strongest-link chain reduce the risks. Bill