From: Brad Templeton (brad@templetons.com)
Date: Sun Jan 14 2001 - 13:08:03 CST
On Sun, Jan 14, 2001 at 07:33:34PM +0100, Dirk Nimmich wrote:
> Brad Templeton schrieb:
> > The only rule I can see is that the injector SHOULD assure that actions
> > by the same user result in the same token, at least over a moderate period
> > of time, such as a week.
>
> From a privacy point of view the token SHOULD ALWAYS (i.e. MUST)
> be another one. With same tokens you can be de-pseudonymized if you
> post only one article with your real name and address. The token
> must be absolutely worthless to others than authorized staff, and
> this includes how many posts have been done by an individual and in
> which newsgroups.
This is a good point. However, to attain its purposes in spam-fighting,
the token needs to be the same over the course of a couple of days, but
should change after that period for the reason you specify.
This is easy to do by having the secret random number which generates the
token change every day or two days, ideally at some random time.
A better built system would notice the from line, and give each user some
number of tokens, one per email address, but after they use up the set,
they get the same token on each new email address. This is clearly more
work.
Less work would be to have two possible tokens -- one when the email address
in the from line is validated, another if it is not, presuming one is able
to validate the email address.
Of course the best system would be a system of digitnaly signed IDs that
could be used to sign articles, with people able to get pseudonym IDs from
CAs who grant them but disallow the creation of large numbers of them.
Injectors would only have to put tokens on unsigned articles. But we
don't have a signing scheme.