Re: Notes from Conversation with Roger

[Roger Dingledine <arma@mit.edu>]

I talked at length with Lucky Green and Noise at FC02. I now have a
pretty good intuition about the current user base and the problems they
see with the current system.
 
They said that the current codebase is ugly but it works, so we'd have
to introduce compelling new features to get people to switch. SURBs are
such a feature.
 
They said that the current clients (Windows-only, of course) are actually
quite slick and convenient.
 
Lucky really wants some sort of statistics built-in. Not logging of
specific messages, but good capability for getting an idea of "how the
network is doing". Things like how many messages have gone through today,
how many of those were dummies/pings, how many to where, etc. Something
that would give the node operator some idea of how his system is being
used. I think if we did a good job at this, we'd get a lot of converts
from the current remops. (Think of it like the incentive people have
for running seti@home or descrack -- it's all about the "how am I doing"
page, right?)
 
The real reason there aren't more nodes (and, related, not more reliable
nodes) is abuse. There are a very limited number of jurisdictions where
people can set up a remailer and keep it up. And it often isn't a matter
of legality so much as people not wanting to deal with the hassle.

and now to clarify some of Nick's points.

On Thu, Mar 21, 2002 at 12:51:29AM -0500, Nick Mathewson wrote:
>      OBSERVATION 3: Roger likes hybrid topologies, especially (from what
>      I can tell) ones that start with a free-route, but which end with a
>      short cascade to an exit (or destination) node.  These would seem 
>      to be a natural consequence of a system with many more relay nodes
>      than exit nodes.

Actually, that particular topology isn't any more interesting to me than
similar ones. I don't know what's good; but I agree with George that it
would be really nice to have a policy language to describe what a mix
node is willing to do.

>      OBSERVATION 4: There's a difference between "anonymous receiving
>      systems" and "anonymous sending systems."  [I don't remember what
>      this had to do with abuse.

The key idea here is that certain applications, such as Free Haven,
can be built on top of this mix design and completely avoid the abuse
issue. Free Haven nodes have all signed up to get the data. So there's a
difference between "I want to be able to anonymously send mail to anybody"
(a much harder problem) and "I'm participating in the system."

>    - (Roger wants Mixminion to support what Mixmaster does, plus 
>       cascades, plus support for Free Haven.)

Right. I was trying to figure out what would make the system useful for
me, and the answer is that I'd like to support a variety of hybrid mix
topologies, and I'd like to support pseudonymous-location servers. The
latter is of course harder. But that's a problem for another time --
don't let it distract you yet. :)

>    STRATEGY NOTE 4: We should keep the trust network human for now.
>    We should track performance of nodes, but let humans decide how to
>    choose paths.

What I meant here is that our protection is going to come from human-built
trust edges. It's not going to come from any automated "I've measured
performance and know that they're a good node to use" system. We need to
keep this in mind, and consider ways to integrate a PGP-like web of trust.

--Roger