From: Russ Allbery (rra@stanford.edu)
Date: Tue Jan 16 2001 - 14:53:20 CST
Brad Templeton <brad@templetons.com> writes:
> Quite possibly, so now's the time to talk about it. Do you or anybody
> else here disagree that if there's a better way to do it that doesn't
> inherently strip posters of privacy, then it should be done.
I'm not incredibly enamoured of encrypted tokens, no. I think it's neat
for sites that know how to use it, but I also think that some of the same
principles as Received headers apply here. A bunch of people run news
without having any idea what they're doing, just like a bunch of people
run mail servers without having any idea what they're doing. In both
cases, having unencrypted trace headers as part of the generated messages
helps immensely in pointing out to those people what's actually wrong and
how to fix it and in taking other measures if necessary to stop spam and
other types of abuse. Imagine how much pain we'd be in right now in
trying to shut down open relays if all mail servers deposited Received
trace information in local log files and replaced it with encoded tokens
as a matter of course.
A good example of a time when I've used the existing NNTP-Posting-Host
semantics is with wide open DNews servers using POST feeds to another
server. Without that header, it would have been much harder to identify
the actual culprit (the open DNews server, not its upstream) and contact
the appropriate parties. Another example is the common case of an open
NNTP proxy; the presence of an NNTP-Posting-Host header often lets me
identify that that's what one is dealing with and send a much more precise
abuse complaint that's acted on much more quickly than some sort of
generic "someone at your server with this token is spamming" message.
I can see some benefits to privacy to taking your approach. I think it
would degrade the usability of the medium for that to be the default, used
by administrators who have no clue what they're doing and who won't be
able to decode even lightly encoded tokens with the help of news server
documentation. You might say that such people shouldn't run news servers,
and I might even agree with you, but that won't make them magically
disappear.
I do want the capability to be there so that sites that do know what
they're doing can turn it on. But I think that the current semantics are
a very reasonable default. People who care a lot about privacy can use a
news site whose administrators know what they're doing and therefore can
handle having the fancy encoding stuff turned on.
> The code for
> hash( IP + secret string of the day)
> Is hardly rocket science.
Nonetheless, you just completely lost 80% of the people who run news
servers.
-- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>