One point re remailer reliability: Even though in my discussions with Nathan I did not really agree with his suggestion to have remailers check signatures on incoming messages, actually Chaum did propose something similar in his 1981 paper. He would have each remailer sign the batch of messages it outputs each cycle. (Chaum's remailers used a straight batching approach.) The idea, as I recall, was to allow a remailer to prove that it had not engaged in a denial-of-service attack by purposely dropping some message into the bit bucket. If some customer put his message in here and it didn't ever come out over there, I guess the remailer could prove that it didn't lose the message by showing its signed batch. I'm not clear on the details though. Anyway, here is an area where message signing and reliability have some intersection. Hal