From: Bill Davidsen (davidsen@prodigy.com)
Date: Thu Jul 08 1999 - 09:14:02 CDT
In <37838DBE.1D240ECE@templetons.com> <brad@templetons.com> notes:
> If the concept of injection is to have any security implications -- which is to
> say we have different rules about who can relay (IHAVE) vs. who can
> inject (POST), then you don't want to allow the injection route to do
> all the things the relaying route can do. Otherwise what is the point of
> having restrictions on who can do which?
Total agreement on this one, users (POST) should be handled as
non-trusted sources. A peer site should be trusted, and should be
allowed to have its own rules and procedures. Obviously if they start
feeding me a lot of local spam they go away, that's a given.
> The main restriction being discussed is who is allowed to set audit-trail
> headers, including Path but also any other injections headers.
>
> However, we must not forget we have given the injector some other duties,
> namely final responsibility for the user who injected the article, and
> the duty of forwarding posts to moderators.
That's perhaps the clearest and least controversial description of the
injection site I've seen! The site which has responsibility for mailing
to moderators is the injection site, none other need apply.
And as a side question, what do various news implementations do when
they get a post to a moderated group with an approved header in a POST.
I know what my perl filter does, but not what any software would do if
it saw the article.
-- -bill davidsen (davidsen@prodigy.com) "The secret to procrastination is to put things off until the last possible moment - but no longer" -me