For example, if at any time, Alice sends pseudonymously to Bob, Bob can not reply directly: this would expose his identity at anon.penet.fi. Bob must reply through a remailer.

Note the irony -- Bob must take special steps to protect his pseudonym because anon.penet.fi is acting affirmatively to conceal his actual identity. If Bob slips up and simply replies, he is exposed.

This, unfortunately, is true. I *have* to use a remailer to hide any anon.penet.fi alias I have or the sender will see it and know I am (for eg) anon1234@penet. I balk at Yet-More-F******-Header-Lines (YMFHL) but a _possible_ patch is to have a: X-Show-My-Anon: yes|no (in the header), or: :: X-Show-My-Anon: yes|no (in the body) addition so people who reply to a message from penet can feed their real email address through the system rather than having it bounced to the recipient as their anon id. This would require either a smart mailer, checking exactly who the orig letter was addressed to (your anon or your real address) and inserting the line as appropriate. It *should* be automatic actually. All it has to do is check a local list of your anon addressed and if someone has mailed it then alter the above line as needed. This raises question of the security of local lists of your anon addrs of course.. but you get the idea.. Comments? (BTW I saw someone's .sig where they *advertised* their anon id on USENET. Presumably this was because he thought thats what you had to do so others could email them anonomously... obviously he wont be a whistle blower :) Mark mark@coombs.anu.edu.au