I don't know if anyone else has had this particular idea before, but it might be worth some consideration. I referred to it very briefly in my posting on RemailerNet v0.2 (RN02). Eric points out that users of remailer networks want to be able to trust in silence as well as trust in delivery, and RN02 accordingly specifies that messages should be erased immediately after acknowledgement of delivery. However, there should be a use for persistent store, for a remote encrypted database accessible anonymously. Everyone must have had this sort of experience: someone walks into your office. There is something on your desk that you would rather this other person not see. So you toss it into a drawer, to get it out of sight. Imagine that you are working on a document and someone walks into your office. Rather than tossing it into a drawer, you toss it to Finland. The document is sent encrypted. (The storage facility also encrypts it.) When its receipt is acknowledged, your local copy is destroyed, if you wish. You can retrieve it in seconds from anywhere, providing that the system supports the notion of an identify distinct from your log-in address. Ideally, the data is stored on a distributed data base, with some redundancy in case one or more gateways go down, and with the data striped across gateways, so that no one gateway has all of the data. Because the data is encrypted by you and encrypted by the EDDB, it cannot be recovered by anyone without your cooperation. If the data is striped over a number of gateways (with, say, every first byte here, the next byte there, the next byte at a third gateway, and every fourth byte at a fourth gateway), it would take widespread collusion even to recover a copy of the encrypted document. Once you have such a system in place, you could then do interesting things like storing a document in the EDDB, and selling it to someone by selling him your passwords. I also think that a very reliable version of this system could be used to handle electronic cash (e$). -- Jim Dixon