From: Brad Templeton (brad@templetons.com)
Date: Fri May 04 2001 - 12:22:39 CDT
On Fri, May 04, 2001 at 10:20:36AM -0400, Bill Davidsen wrote:
>
> I don't think standardizing the headers includes setting up a central
> agency to do the things which really need to be done.
Of course it doesn't. The task this group was supposed to accomplish was
to define _how_ to sign an article (including of course a control message),
and implicit with that are the problems of how to verify that the key which
signed the article is authorized to do whatever operation the article is
requesting.
Once you define how to write and check a signature and a certificate, it is
up to others to issue the certificates, and get admins to install top
level certificates of those they trust.
However, you can't ignore this problem, since you need new control messages
for revocation of certificates, for example.
>
> Because people prefer things proven to work in a usenet environment
> without a central authority? Because the recent Verisign debacle with
> Microsoft certificates pointed out that you are substituting their
> judgement for yours? It's an issue of implementation rather than
No, we're substituting their judgement for nobody's. Right now most
of these things are unsecured, or haphazardly secured. The purpose of
a standards body is to unify the competing methods and do it right.
> If "anything else" is a serious error, we've been successfully making
> it for years.
I guess since I see usenet fading (though not simply due to lack of
auth) I have a different definition of successfully making it.