-----BEGIN PGP SIGNED MESSAGE----- David,
As was said, the doubleblind system is a great idea, but incomplete if you want to correspond to someone without revealing your anon id.
Well, I don't agree that doubleblind is a great idea. For example, if at any time, Alice sends pseudonymously to Bob, Bob can not reply directly: this would expose his identity at anon.penet.fi. Bob must reply through a remailer. Note the irony -- Bob must take special steps to protect his pseudonym because anon.penet.fi is acting affirmatively to conceal his actual identity. If Bob slips up and simply replies, he is exposed. Hal,
(It's interesting that he also sent his message via one of the Cypherpunks remailers. Maybe he thought they worked like the Penet remailer and he could break anonymity on those as well.)
Actually, I don't know why my message went through a Cypherpunks remailer -- I didn't ask it to. I don't know of any weaknesses in the Cypherpunks remailers (other than extreme vulnerability to social engineering).
Evidentally there is positive harm that can occur by automatically anonymizing all messages which pass through a remailer. ... For anonymous posting and for mail to a non-anonymous address, it's more reasonable to assume that anonymization is desired. ... But when sending a message to an anonymous address, it's not known whether the sender wants to be anonymized or not.
I think it's imperative that the sender use X-Anon-To to be pseudonymous. This is consistent with the principle of least astonishment.
It might seem that people should just be careful about what they send through Penet, but there are some problems with this. What do you do if you get a message from an5877@anon.penet.fi asking for advice on cryptography mailing lists? If you reply, your questioner can figure out who the reply is coming from, and sees your Penet alias. There is no way to prevent this from happening currently.
A Cypherpunks remailer can be used to conceal the correspondent's pseudonymous identity.
Also, I have seen proposals that anonymous ID's should be made less recognizable, so that instead of an5877@anon.penet.fi we would have joe@serv.uba.edu. In such a situation it might be tedious to scrutinize every email address we send to (via replies, for example) to make sure it isn't a remailer where you have an anonymous ID.
It would be a real boon to make pseudonyms less prominent -- this seems to have kicked over a hornet's nest on USENET (even though pseudonyms have been quietly in use for years). But were this the case, scrutiny would be an understatement.
All in all, I think some changes need to be made in how anonymous addresses are used and implemented in order to provide reasonable amounts of security.
I agree that more discussion is in order. I'm especially concerned about the broader issues regarding anonymity through remailers. DEADBEAT -----BEGIN PGP SIGNATURE----- Version: 2.1 iQBFAgUBK4mrrvFZTpBW/B35AQE+PQGAh69FcaATFD05lIuhqqK8ZMmV+8xNi/LN 7kxDSgFgB9J/A9rRgAL6S1Ux2ojU4opP =RGlc -----END PGP SIGNATURE----- ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind system, any replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi. *IMPORTANT server security update*, mail to update@anon.penet.fi for details.
Well, I don't agree that doubleblind is a great idea.
Neither do I. But many of the users of anon.penet.fi are not very computer-and-email-literate, and they have been using other services, providing double-blind. Unfortunate, but too late to change now... What we can do is to provide better ways for those who *are* computer literate enough to use extra headers etc.
Evidentally there is positive harm that can occur by automatically anonymizing all messages which pass through a remailer. ... For anonymous posting and for mail to a non-anonymous address, it's more reasonable to assume that anonymization is desired. ... But when sending a message to an anonymous address, it's not known whether the sender wants to be anonymized or not.
I think it's imperative that the sender use X-Anon-To to be pseudonymous. This is consistent with the principle of least astonishment.
But in this case I feel the principle of least astonishment is overruled by the principle of least risk of accidental exposure.
Also, I have seen proposals that anonymous ID's should be made less recognizable, so that instead of an5877@anon.penet.fi we would have joe@serv.uba.edu. In such a situation it might be tedious to scrutinize every email address we send to (via replies, for example) to make sure it isn't a remailer where you have an anonymous ID.
It would be a real boon to make pseudonyms less prominent -- this seems to have kicked over a hornet's nest on USENET (even though pseudonyms have been quietly in use for years). But were this the case, scrutiny would be an understatement.
I think that hornet's nest needed to be kicked. But I am also disappointed that not enough people defend the need for anonymity in places like news.admin.policy. I think pseudonyms *should* be prominent - as you have noticed, anon.penet.fi adds an explicit warning at the end of every message.
All in all, I think some changes need to be made in how anonymous addresses are used and implemented in order to provide reasonable amounts of security.
I agree that more discussion is in order. I'm especially concerned about the broader issues regarding anonymity through remailers.
Agree 100%. Julf
participants (2)
-
Johan Helsingius -
nowhere@bsu-cs.bsu.edu