-----BEGIN PGP SIGNED MESSAGE----- David,
As was said, the doubleblind system is a great idea, but incomplete if you want to correspond to someone without revealing your anon id.
Well, I don't agree that doubleblind is a great idea. For example, if at any time, Alice sends pseudonymously to Bob, Bob can not reply directly: this would expose his identity at anon.penet.fi. Bob must reply through a remailer. Note the irony -- Bob must take special steps to protect his pseudonym because anon.penet.fi is acting affirmatively to conceal his actual identity. If Bob slips up and simply replies, he is exposed. Hal,
(It's interesting that he also sent his message via one of the Cypherpunks remailers. Maybe he thought they worked like the Penet remailer and he could break anonymity on those as well.)
Actually, I don't know why my message went through a Cypherpunks remailer -- I didn't ask it to. I don't know of any weaknesses in the Cypherpunks remailers (other than extreme vulnerability to social engineering).
Evidentally there is positive harm that can occur by automatically anonymizing all messages which pass through a remailer. ... For anonymous posting and for mail to a non-anonymous address, it's more reasonable to assume that anonymization is desired. ... But when sending a message to an anonymous address, it's not known whether the sender wants to be anonymized or not.
I think it's imperative that the sender use X-Anon-To to be pseudonymous. This is consistent with the principle of least astonishment.
It might seem that people should just be careful about what they send through Penet, but there are some problems with this. What do you do if you get a message from an5877@anon.penet.fi asking for advice on cryptography mailing lists? If you reply, your questioner can figure out who the reply is coming from, and sees your Penet alias. There is no way to prevent this from happening currently.
A Cypherpunks remailer can be used to conceal the correspondent's pseudonymous identity.
Also, I have seen proposals that anonymous ID's should be made less recognizable, so that instead of an5877@anon.penet.fi we would have joe@serv.uba.edu. In such a situation it might be tedious to scrutinize every email address we send to (via replies, for example) to make sure it isn't a remailer where you have an anonymous ID.
It would be a real boon to make pseudonyms less prominent -- this seems to have kicked over a hornet's nest on USENET (even though pseudonyms have been quietly in use for years). But were this the case, scrutiny would be an understatement.
All in all, I think some changes need to be made in how anonymous addresses are used and implemented in order to provide reasonable amounts of security.
I agree that more discussion is in order. I'm especially concerned about the broader issues regarding anonymity through remailers. DEADBEAT -----BEGIN PGP SIGNATURE----- Version: 2.1 iQBFAgUBK4mrrvFZTpBW/B35AQE+PQGAh69FcaATFD05lIuhqqK8ZMmV+8xNi/LN 7kxDSgFgB9J/A9rRgAL6S1Ux2ojU4opP =RGlc -----END PGP SIGNATURE----- ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind system, any replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. *IMPORTANT server security update*, mail to update@anon.penet.fi for details.