Much of today's anonymous remailer technology is based on internal correspondence tables which store an anonymous ID (NYM) and a real-world email address. This approach is fundamentally flawed, as it allows severe, user-transparent compromise of anonymity if the remailer host is cracked. The compromise of any portion of an anonymous remailing system should result in as little privacy infringement as possible. Upon hearing that a major anonymous relay site had been compromised, I decided to explore the design of an anonymous remailer that would yield as little information as possible.
I am now publishing the design notes to Anubis for peer review, and will be turning them into an Informational RFC. I welcome comments and suggestions on how to make Anubis as secure as possible, as well as descriptions of potential attacks on the service. I believe that anonymous communication is vital to a true information economy, and promotes communication between subcultures. Please send your comments to strata@virtual.net, and include the word "Anubis" in the subject.
There is at present no existing Anubis code base, published or unpublished; I am waiting to refine the design before implementation. I hope to have an alpha implementation available by December 1994.
The design notes below are rough, working notes only. Please feel free to ask for clarification on any points that seem vague or self-contradictory. These notes are as much an exploration of the possibilities of anonymous remailers as specific Anubis design. These notes were originally created using the ACTA outline processor on a Macintosh; I have included a "plain" version, formatted for easier reading as well as the ACTAfied version with section, subsection, and sub-sub-sub (ad nauseum) section numbers. The former will be much more readable, and the latter will enable reviewers to refer to specific text easily with a fair degree of precision.