Including private gateway certificate in parcels could lead to fingerprinting

[gnarea]

Including the full certificate chain in a parcel could allow someone to cross link a private gateway across two or more endpoints served by that gateway.

This represents a privacy issue as it could be used for fingerprinting. It wouldn't be easy, as the attacker would have to have access to 2+ different services used by the end user, but it'd be increasingly likely as Relaynet gains traction.

One solution could be not to include the private gateway certificate in the sender certificate chain of the parcel, which has the negative effect of requiring the public gateway to keep a mapping of (private) endpoints to their corresponding private gateways -- Which wouldn't be necessary if you can fully rely on the PKI. On the plus side, fewer certificates in the chain should make most parcels significantly smaller.

Related issues

• Prevent a compromised courier from tracking cargo to/from private gateways #54
• Make private gateways use a different identity key pair when communicating via couriers #71