Re: Reply blocks and tagging protection: a third variant

[Roger Dingledine <arma@mit.edu>]

On Tue, Apr 09, 2002 at 09:16:23AM -0400, George Danezis wrote:
> On Sun, 7 Apr 2002, Roger Dingledine wrote:
> > Which leads to the issue of putting destination information in the payload
> > vs the header. I'm still not convinced by George's statement that it
> > should go in the payload.

[snip]

> The idea is not to explicitly put all routing information in the payload. 
> Routing information should stay in the two headers. The point I tried to 
> make is that the second header depends on the correct decryption of the 
> payload and therefore if the payload is modified it is not possible to 
> continue with the delivery. Note that this property is stronger then just 
> including a hash to check the payload that a malicious node could ignore.
> 
> As I say before no routing information is in the payload, only in the 
> second header, which is treated exactly like the first one after a certain 
> stage. I do not see how tagging attacks would work against it.

So George, does that mean you agree that destination and delivery
information, such as recipient email address, should go in the headers?

I ask because there isn't room for it in the current notion of a header
hop. We might make an extra hop in the header (an extra 128 bytes) that
specifies email address, or whatever delivery address is being used.
That way when it's time to deliver, that node pulls off the next header
hop and uses the data in it. Pulling off more than one hop worth of info
should work fine in any of the schemes we've proposed.

--Roger