From: Brad Templeton (brad@templetons.com)
Date: Fri Mar 03 2000 - 13:10:33 CST
On Fri, Mar 03, 2000 at 01:49:49PM -0500, Bill Davidsen wrote:
> Brad Templeton <brad@templetons.com> noted:
>
> > However, I still strongly advise that a server simply discard articles
> > that fail signature tests rather than put any burden on the newsreader
> > to check such a header.
>
> This would be the "new server - any reader" case, but it requires some
> changes to the server, so it won't be there instantly. And some sites by
> policy don't honor cancels, etc, and won't do it even though they could.
Saying that sites that don't honour unverified cancels (which are widely
abused) would not honour signed cancels (which can't, except by key
compromise, be abused) is a big leap.
However, the client effectively can't do signature checking on its own.
I mean it's not totally impossible but it is impractical. There's really
little to be gained except through server code, and besides, why even
suggest that clients have complex signature checking code (and go through
the large overview burden of it.) when it is simpler to put it in servers.
> Some people want to see everything and make their own decisions. As long
> as there's a mechanism by which both the server and the reader can
> identify the bogus articles, the goal has been reached.
Really? I mean really you think that the number of people who want
to read, in-line with other articles, the forgeries is significant? That
it's more than .01% of the population of USENET? I don't mean the
ones who want to track them. They can do it by reading a special junk-like
newsgroup.
You're saying there are really a *lot* of people who want to read the
forgeries inline? Then we should not have the server check the approved
header either.
>
> I'm sure I can do the validation at user level with a trn macro, and I'm
> sure someone could write a plug-in or whatever for Netscape. If it's a
> good idea other client software will follow.
Oh, checking a header can indeed be done easily, but why? It's a new
header to put in the overview, and if you are on a modem line, the overview
is way too big as it is already. I find it a pain even over DSL!
>
>
> I'm torn between the elegance of just signed articles which anyone can
> read and the motivation of encrypted posts which will encourage client
> providers to add decryption features.
There is no, zero, zip, nada value to encrypting posts in a public newsgroup.
(Other than rot13 I guess.) That suggestion made no sense at all.