Some thoughts on solutions to the remailer operator liability problem. It occurs to me that the risk for the remailer owner could be reduced by separating concerns. That is, introducing separate roles for setting up the remailer so that the identity of as many parties as possible is not determinable to the litigator. Model 1 ------- Separable roles: - person owning the remailer - person installing remailer software - person handling complaints to the remailer In this model a new remailer owner would anonymously email a member of the cypherpunks list asking if they would be interested in installing a remailer in the owners provided account. The remailer owner would anonymously open an account with an ISP offering anonymous shell accounts, and accepting digicash, or cash, and anonymously email the account details to the installer. Optionally, a third party (the maintainer) could be persuaded to accept complaints for the remailer, and (anonymously) send signed instructions to the remailer to bar certain receiving addresses. The only determinable target for a typical litigator would be the ISP. If a more powerful adversary were the litigator, such as a TLA anxious to demonstrate an excuse for it's continued existance, it is possible they may retrieve the identity of the installer (if they do indeed have taps and large IP traffic recording facilities for instance). They may try to hold the installer responsible if unable to find the owner. Model 2 goes some way to reducing risk for the installer. Model 2 ------- In this model the additional separable role of setting up a shell command mail processor on the account is introduced. What I mean by this is as has been discussed on the list recently, that a mail handler which executes signed shell commands emailed, and anonymously emails back the command output. That is to say the remailer owner now passes the account information to the installer of the mail processor. The shell installer sets up the command processor, and leaves. Now the owner gives the PGP secret key of the command processor to the remailer installer (or if the owner feels competent, does this part themselves). Provided that the anonymous remailers used for all of the steps are type2 mixmaster remailers, the system should be much more secure. Adam -- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)