[ Although this post deals, for concreteness, with a specific mailing list, I hope that cypherpunks will appreciate how the problem alluded to points out a weakness in C2's current nym scheme, which is especially exploitable in the context of general nym based mailing lists being run via similar servers. ] The proposal for a Hackerpunks nym based mailing list is interesting, however, there are some concerns regarding the susceptibility of the list to traffic analysis. The contents of the list will clearly not be secret since anyone can create a C2 nym and then subscribe. For a given bag of messages, B, let L(B) denote the bag of the lengths of the messages in B. (A length, x, appearing n times in L(B) if and only if there are n messages of length x in B.) Let B_x denote the bag of messages that subscriber x receives. If for any two subscribers, a and b, L(B_a)=L(B_b), then someone cooperating with many ISPs could easily guess who was and was not subscribed to the list by seeing if a customer received a bag of messages, M, with L(M)=L(the bag of messages actually posted to the list). A solution to this might seem to be to append to each message posted to the list a pad varying randomly in length between each subscriber who was to receive a copy. However, if the list ownership ever feel into evil hands, the lengths of the pads could be chosen non-randomly, and thus provide very convincing evidence that someone receiving messages of the non-randomly chosen lengths was the owner of the given nym. There is also a concern that the owner of Hackerpunks could be discovered with a traffic analysis similar to the one used to determine list subscribers. This time, let P be the bag of messages (with padding deleted) posted to the list. If someone were to watch to see if some node on the Internet received a bag, I, with L(I)=L(P), then that person could guess that that node had a user who was the owner of the Hackerpunks mailing list. As before it would, of course, not help the owner of Hackerpunks to ask their subscribers to help weaken this attack by padding their messages to random lengths, since a malicious enemy could then determine a non-random sequence of messages lengths and send the corresponding message to owner of Hackerpunks for posting. This would only increase the likelihood that a node receiving those messages had a user who was the owner of the Hackerpunks mailing list. The solution to the two dilemmas seems to be to ask that the C2 re-mailing code be modified so as ensure that each messages is padded to a fixed size before encrypting and being sent through the reply block. On the other hand, this would give away information that anyone receiving messages of this fixed length was likely the owner of some C2 nym.