RE: More thoughts on From: lines

[Len Sassaman <rabbi@abditum.com>]

On Wed, 26 Feb 2003, Lucky Green wrote:

> Len wrote:
> > Is there any reason not to continue to permit nym servers to
> > directly deliver mail? I can't think of one.
>
> If the decision has been made (has it?) that all outbound email from
> nyms must use a nym server as the exit hop, the requirement for
> mixminion nodes to support configurable Subject: lines goes away
> entirely and instead becomes a requirement on the nym server.

The only reason I can see for adding the additional complexity that having
other exit nodes for nym mail entails would be to make it harder for an
attacker to correlate which nym users are talking to whom. (If mail to be
delivered exits from the nym server only, this involves on network sniffer
installation to monitor a mostly-permanent service. If we allow mail to
exit via other exit nodes, it is more work for the attacker.

I would be happy with a number of solutions, including accepting this
risk; permitting the nym server to forward mail to an exit remailer to be
delivered, which would trust the nym server's From: line; requiring that
the client always place the nym server second to last in the chain when
doing nym mail, so that the user can pick the exit node which in turn can
trust the From:; etc.

I think that doing more complex nym authentication by exit nodes is
unnecessarily adding complexity to the system. Having exit nodes believe
nym servers' From: lines should be fine. If the nym server is naughty,
this is a relatively low risk way of discovering that.

> This of course triggers an additional requirement on the client to
> ensure that outbound nym email is always routed through an nym server as
> the exit hop.

Yes. That would be done for the user by the client. After the user opens a
given nym profile, the client knows all it needs to to make this work.


--Len.