I'm taking it that a "gopherhole" is different than the "message haven" I described, so maybe I missed something... A "gopherhole" and "message haven" are the same thing. We were using the term "gopherhole" because it was suggested that gopher be used as the underlying mechanism for a message haven.

but if the "gopherhole" sends out random messages (and presumably the ones you are interested in) then the "gopherhole" will eventually be able to figure out what messages you are interested in. And how would it know what messages you are interested in unless you tell it... it would then need to be able to tie your psuedonym to your real mail address, which defeats the entire purpose of what I described. But then, maybe the design goal of a "gopherhole" is different and I missed it. Yes. Under this model, a message haven must be trusted.

Maybe I wasn't clear in what the "message haven" offered... I'm trying to get away from the penet style mapping tables, persistent information tying you and your pseudonym, and solve the "unsolicited anonymous mail" problem. The message haven requires no trust, no tables, no information since it just accepts message and files them, and if you retrieve all the message, the haven can't figure out which ones you are interested in! This flavour of message haven would not require persistent tables. A crooked operator /could/ maintain them, but unlike penet they are not required. Every time you log into a message haven, you tell it what tags you are interested in. Here the level of trust is similar to that of a regular remailer. The remailer /could/ keep logs to destroy your anonymity, but we hope it doesn't.

I realize this solution is far from ideal. But as I posted before, I don't believe the numbers favour a message haven where everything is downloaded. I have this nagging feeling that there is some very elegant cryptographical way of doing this employing secret sharing, but I can't actually think of how to do it.