Re: Remop inbreeding, or, the 'kidnap Len' attack

["Michael J. Freedman" <mfreed@cs.nyu.edu>]

> At this point, the "kidnap Len attack" isn't a threat we have to really
> worry about. At some point, it may be. Remops need to ask themselves:
> could you make a decision to destroy your keys rather than save the life
> of another remop? If you can't, you may want to get out of the game.

The continued strain of arguments of anon lists and cypherpunks always
seems to presuppose that a law-enforcement agency or other organization
which asks for information (either transcripts or your key) is
illegally/immorally overstepping its bounds.  At the risk of (incorrectly)
sounding as if I believe in key escrow, one of the strengths of multi-hop
remailers and their built-in distribution of trust is that the system can
provide a means to recover information (extractability) if unanimous
consensus is reached.

If a remailer operator is confronted with "kipnap Len", he/she can make
an informed decision whether they wish to expose information.  Take
another argument:  if the FBI has good evidence that Sept 11 attackers
used a remailer, wouldn't you wish to help out their investigation?  If
that evidence is indeed good, and isn't of the form "tell me everything
and anything you got for past year," don't you think others would (and
should) also agree?

It's not surprising that all offline anonymous ecash systems proscribe a
way for extracting identifying information in light of cheating
participants (double-spenders).

I think the use of human-decision-making in the loop is a *feature*, not a
bug, for anonymous systems.

--mike


-----
"Not all those who wander are lost."           www.michaelfreedman.org