IMHO a remailer operator should *NEVER* reveal any identities, but I also believe very strongly that especially if you provide a way to post news articles, there has to be a way to send replies to the original sender. Thus a remailer must maintain mapping info.
I like this. Does it make sense (and has it already been talked about?) to preserve the return information only for a limited time?
It could make sense. It would make _practical_ sense in a scheme like the one I proposed (then amended thanks to John Gilmore's comments) in which the remailer encrypts the return addresses with a key that is regularly changed. Just forget the old keys after a certain amount of time. (BTW, forget I ever said anything about using timestamps as salt. The amount of known-plaintext per message is huge if you do that. Any PRNG would be better. I must have left my brain at home yesterday...) Joe