anonymous return addrs.

[Hal]

Marc.Ringuette writes:

  2. The anonymous message includes a cryptographic "stamped
     self-addressed envelope" which contains a layered list of
     remailer addresses encrypted at each layer.  This requires
     modified behavior of remailers; they must be willing to "unwrap"
     an address-list separately from the message body, and then
     "wrap" the entire message with the destination's public key,
     in order to disguise the correspondence between input and output.
     I think this has been discussed here before.  Has anyone
     implemented it?
        I strongly suggest that this method be implemented in
     the cypherpunks remailers.  Let's call it the SASE feature.
     What do you think?

I do think this is worth trying.  The current remailers will do the
"unwrapping" but they won't "re-wrap" in the public key of the next
remailer.  This means that the incoming and outgoing messages can
be easily matched up since the non-address portion is the same.

I'll look into trying something like this.  One issue is how the
remailer finds the public key of the next one in the chain.  The
simplest way would be for it to simply try a lookup on its PGP keyring
using the outgoing email address, and if it matches, encrypt it.
You'd want a special PGP keyring for this which had only remailer keys
on it.

(Or, it might be interesting to encrypt _all_ outgoing mail (even
to destinations) if we had a key for that outgoing address.  This might
increase the utilization of PGP, although users probably would complain!)

Even if not every remailer did this, you'd still get pretty good
security if several of them did.

Hal