-----BEGIN PGP SIGNED MESSAGE----- Tim May writes:
Phil Karn comments on my proposal:
(Cypherpunks remailers may want to change the "Nobody" and "Anonymous" tags to names that are less screenable, less susceptible to censorship by ARMM-type programs...
I'm not sure I like this idea. In my own discussions with people on this issue, I've found that "filterability" (for lack of a better term) overcomes *many* (if not all) of the standard objections to anonymous email.
A very good point. I was thinking more about the "ARMM"-style attacks and not so much about the normal filters people might write to keep from seeing anonymous posts.
I guess the solution is to discourage global, ARMM-style filters (and perhaps even look again, as a community, at digital sigs for postings, so
We may be getting ahead of ourselves here. Because of design decisions in the cypherpunk remailers, I think they'd be a poor infrastructure for anonymous Usenet posting. Anonymous posting has been around as long as Usenet, in the form of forged messages. The most important service Julf's remailer provided was a _return_path_ for replies, something cypherpunk remailers take deliberate steps to destroy. If one of the cypherpunk remailers suddenly decided to implement anonymous Usenet posting as-is, I think ARMM II would be the least of its problems. I have been working through a few ideas for the design of a _distributed_ anonymous posting service, in which the loss of one machine would not destroy all return addresses at that machine, nor compromise the return- path database. A handful of penet-style servers who share their return- address databases (kept updated through an encrypted e-mail protocol, perhaps) act as a Usenet "front-end" for posting. But their databases contain encrypted SASE paths through several cypherpunk remailers, instead of normal return addresses. Messages posted through any of the front ends could be sent to the same user-name at any of the other front-end machines, since they keep the same databases. In order to assure that SASE return path is robust, despite an environment in which remailers may be shut down at any time, secret sharing might be used for remailer private keys. When a remailer went down, a quorum of the remaining remailer operators would nominate a site to replace it, and send the "pieces" of the lost remailer's secret key to the replacement site's administrator. The remaining remailers would adjust their "routing tables" so mail whose next hop should be to the lost remailer is sent to its replacement instead. The best part is that all of this would be transparent to the Usenet user, who would just see a penet-style return address, along with a note in the automatically appended signature that said that "if mail to an1234@foo.com bounces, just try an1234@bar.uk or baz.fi," or whatever. No doubt there are some problems with this scheme (traffic analysis attacks on the SASE paths if the front-end database is compromised, etc.) that need to be addresssed, but I offer it as a preliminary idea for a replacement service whose stability would not be subject to the whims of any one site or network connection. that only the author can cancel them). Agreed. This could even be implemented into today's news structure. Old servers would continue to blindly heed all cancel messages, while the new software would verify PEM-style signatures, possibly as a header field. And if a cabal of prudish newsadmins wanted to let each other cancel those offensive anonymous articles at their sites, they could simply tell their software to accept cancels signed by cabal-members' keys. I don't see how anyone could oppose this. -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBK7Hk7Iwu6QoBw6rbAQF5owQAlfXjo8G+cKiSVEbfIBAXIAsmTJkBLcAH OhCzyXZXyCKeH5J8yB9cgTgpCsxQCdBgQLsW2aqvyWaVgMX4rXvjx6vqYbm4BW5p 9OQ6YhLI17zArrqPPsyzbYYHwUXXY2vYEWAmFXNhYBv9r4vbbT3IqPJgCTKltShA 5ho53DEkIRA= =6q8R -----END PGP SIGNATURE----- -- Joe Thomas <jthomas@access.digex.com> PGP key available by request or by finger. PGP key fingerprint: 1E E1 B8 6E 49 67 C4 19 8B F1 E4 9D F0 6D 68 4B