Eric Hughes suggests:

Currently to mail to person 1234 at penet, you send mail to

anon1234@penet.fi

This mail goes out anonymously from the sender, either using an existing mail address or creating one. But if one were able to reach person 1234 also with the email address, say,

name1234@penet.fi

the behavior could be _not_ to make this posting anonymous.

To wit, the 1234 indicates that you are replying to a pseudonymous recipient, and the anon/name pair indicate whether the sender is anonymous. Thus no change in default behavior, and no new header lines.

I'd extend Eric's idea to say that mail to a non-anonymous address (like Deadbeat's postings to Cypherpunks) should be shown as coming from "name5877" rather than "an5877". Then when we gullibly sent our true email addresses to him, our Penet anonymous ID's would not be revealed (because the "reply" command would send to "name5877" which would prevent the double-blinding). But, what would we do for anonymous Usenet posts (assuming those are still allowed)? If they are shown as coming from "an5877" as they are now, then Deadbeat's trick would work via posting to Usenet. ("Please send your current email address for information on the latest..."). If they are shown as coming from "name5877" then users who are accustomed to the old way of working will find themselves not being anonymized when they thought they would be. Deadbeat suggests:

Here's a way out that will satisfy me and Johan: assign Alice a new pseudonym here and now, one that will be good for replies only. If Alice has registered with the remailer in the past, i.e., if she has a password, then she knows how to X-Anon-To:, but has opted not to. If she has not registered, then it is also appropriate to assign her a new ID. However, should she later register, I suggest she be given a new, permanent, password-protected ID, just in case her earlier reply inadvertently exposed her real ID (in the way we have been discussing).

In essence, I'm suggesting that the Finnish remailer have two classes of anonymous IDs, one that is password protected, and one that is not. The former should never be used without the X-Anon-Password header.

A problem with this is that I would have to remember, for each different anonymous communicant I send to, whether I am using my "password" ID or my "non-password" ID. The difference would come down to what method was used when I initially began communicating with this person. If the initial contact was in response to mail they sent to my "real" email address, then I must remember to use the "non-password" ID for all succeeding communication, on the theory that they know my real email address. OTOH, if the initial contact was to my anonymous address, then I have to remember to use my "password" ID for all following communication, so that I don't accidentally reveal my "non-password" ID, which some people can link to my real address.

From this point of view, part of the problem appears to be the desire to live in both worlds - the real world and the shadow world. It will be hard to keep track of which world each communication is in.

Perhaps Deadbeat's and Eric's ideas could be combined, where mail to real email addresses would come from "name5877", and replies to such addresses would use the "non-password" ID. This might help people keep track of how to reply to each message. I still think there is a problem with how anonymous posts should be labelled, and how replies to such posts should be handled. Hal