From: Brad Templeton (brad@templetons.com)
Date: Fri Jun 04 1999 - 15:05:29 CDT
On Fri, Jun 04, 1999 at 03:08:23PM -0400, Dave Barr wrote:
> Don't mix things. There's up to two signatures on a Usenet article in
> the idea I was referring to. A take-your-pick mail-style body signature
> and a yet-to-be-designed header signature.
>
Sorry, I was rejecting your proposal. Partial security is only marginally
better -- and sometimes worse -- than no security. At least you have
no expectation of security when there is no security.
What does it mean to sign "just the body" of a USENET article? Just what
is being authenticated with the signature? That the body wasn't modified
in transit? That's useful but really a sidebar on the priority list.
That it came from a particular person? That's useful, but why would
you design something that tries to certify that but doesn't verify the
>From line?
Since there are articles that have no bodies (control messages) one could
have a header only system, but a body-only system can be worse than
valueless, because it leads people to think there is some security there,
when all the most important stuff can be forged.