From: gnu@toad.com (John Gilmore):
There seems to me to be a serious problem with the "novel return address" idea. The information that ties together multiple anonymous messages from the same person is out in the world, encrypted by a single key in a conventional cipher.
[attack methods deleted]
The idea also suffers from the dossier problem -- all the information about return addresses will exist in a single place (at the remailer site) where it's tempting for a government (or other adversary of privacy) to try for it.
Keep thinking, folks! We aren't there yet...
Quite true. I guess I never really made it clear that I don't believe this return address method is very secure, just better than the current version available through anon.penet.fi. Certainly it's no reason to abandon the work on SASE's for cypherpunk remailers. My idea was just to make it difficult to associate different messages from the same anon user, while keeping anon.penet.fi's current framework. Now all messages from the same user bear the same return address (e.g. an1234). If you reveal your identity in one anonymized message, all of your past messages can be easily linked with you. Under the new scheme, associating two messages from the same sender would require breaking the remailer's cipher. Yes, it's possible, but it's not trivial. It's also possible to limit the damage done when a single key is compromised. Change keys periodically (weekly? daily?) and include a few bits at the front of the return address that will let the remailer know which key to decrypt the rest with. The dossier problem is a real one, of course. If Julf or his machine is compromised, all the aliases could be revealed. But that's true now, as well. Joe