[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: First go at directory server details
[snip]
This is a "best is the enemy of the good enough" situation. I am convinced
that if we continue down this path, Type III will fail to be adopted.
Users and remops will never sign on to a system which can be rendered
inoperable with the simple failure of four servers.
I am also find Roger's assertion that two remailers using slightly
different directories are participating in two different anonymity sets to
be misleading. There is the issue of overlapping, rather than distinctly
different, anonymity sets that we must consider. These are not the same
beasts.
It is important that we do our best to increase the likelihood that all
users are of the same anonymity set, and that active attackers cannot
isolate individuals trivially, or that the system can balkanize easily.
However, discarding or refusing to send mail when directory conflicts
occur is a sure way to guarantee that Type III remailers will never be
anything more than an academic curiosity.
Users are concerned about reliability first, usability second, and
perceived security third. Our goal is to give them real security and not
just perceived security, but we must also deliver usability and
reliability, or our offering will be rejected.
--Len.