Here's a simple proposal for dealing with the kind 4 metadata leakage problem:
Discussion
someone suggested that the content of the envelope could be either a kind 4 or another kind 16 for extra redirection
I was thinking through that as well but was having trouble finding something that both works and isn't super complicated. It also increases the risk of a message getting dropped or delayed by too much if there are a lot of hops.
hmmm, some reason for why isnt an option to "while the kind is not 4, unwrap"?
That's doable, although it involves the sender revealing themselves at every hop since their pubkey is needed to decrypt.
I eventually decided it's simpler to use a new key to do the initial encryption and then not bother with any hops, but supposedly that it is one thing people have issues with. (There's also the issue of losing your own sent DMs if you don't remember those one-off keys. Perhaps a self DM could work here.
Apparently this idea was already proposed and has mostly been rejected in favor of methods that use authentication. I'm not sure if I like that since the relay operator still has all the metadata when there are ways to avoid that.