From: Dave Barr (barr@cis.ohio-state.edu)
Date: Fri Jun 04 1999 - 15:43:45 CDT
Brad Templeton wrote:
>
> On Fri, Jun 04, 1999 at 03:08:23PM -0400, Dave Barr wrote:
> > Don't mix things. There's up to two signatures on a Usenet article in
> > the idea I was referring to. A take-your-pick mail-style body signature
> > and a yet-to-be-designed header signature.
>
> Sorry, I was rejecting your proposal. Partial security is only marginally
> better -- and sometimes worse -- than no security. At least you have
> no expectation of security when there is no security.
Well, I guess I reject your idea that this is partial or no security.
> What does it mean to sign "just the body" of a USENET article? Just what
> is being authenticated with the signature? That the body wasn't modified
> in transit? That's useful but really a sidebar on the priority list.
>
> That it came from a particular person? That's useful, but why would
> you design something that tries to certify that but doesn't verify the
> >From line?
If the signature system verifies the From: line, it will. Don't keys/certs
contain the person's From: address?
> Since there are articles that have no bodies (control messages) one could
> have a header only system, but a body-only system can be worse than
> valueless, because it leads people to think there is some security there,
> when all the most important stuff can be forged.
I guess I've never used a secure mail system which did NOT at least
certify where it came from (i.e. the From: address). Is that not the
point of such a system?
Obviously if it is a control message then that requires the use and
verification of the header sig. If it's not a control message than
who cares if the header (besides From) was modified? The mail people
don't care -- why should we?
I don't see what you're arguing against.
You're arguing against having a body sig because it can't certify the
header, while ignoring the fact that a header sig would indeed certify
the header on all the cases that matter to Usenet.
--Dave
-- http://www.cis.ohio-state.edu/~barr/ barr@cis.ohio-state.edu