From: Charles Lindsey (chl@clw.cs.man.ac.uk)
Date: Mon May 07 2001 - 05:58:20 CDT
In <20010504101750.B20860@main.templetons.com> Brad Templeton <brad@templetons.com> writes:
>The next step after that would be sites, especially large sites, getting
>a key. For example, I would expect AOL to get a key and sign all
>articles and cancels going out of AOL. Of course this key also lets
>them cancel anything coming out of AOL, or _appearing_ to come out of
>AOL. So they, or some other 3rd party, can quickly configue to issue
>a signed cancel on any unsigned posting coming from AOL.
>This will be appealing to sites, and large sites will quickly get keys
>and possibly even pay a CA to do so. As a result, fairly quickly,
>articles and cancels from most of the large sites are signed, and in
>a short time, with only a few CAs, you have authenticated most of USENET.
>Individual users may decide they want their own keys. In fact, the spec
>should say that unless a site doesn't trust a user's personal key, they
>should pass through any signed article with no need to sign it themselves.
>(Though if they don't, another injector will probably be available for
>a signing user.)
>Most users won't get keys, but active ones will. If there are volunteer
>CAs that would be great, but it's not needed. Some might prefer a for-pay
>CA. I think verisign's basic cert for an email address through challenge
>response is $14.95, and I expect billing is most of the cost.
And there is the fundamental weakness of the whole scheme. Your
challenge/response cancel scheme will only work IF the total number of
sites performing the service remains small - say half a dozen worldwide.
But how can you ensure that? If it is done by commercial sites, then
every ISP will want to get in on the act (you already mentioned AOL
above). And since most users get onto Usenet by installing the CD supplied
by their ISP, without really knowing what it does, the tendency will be
for each newsreader to come preconfigured to post cancels to that ISP's
cancel-signing service. And how many ISPs are there worldwide?
The one thing you can be sure of is that no ISP is going to point the
newsreader he supplies to a service provided by a different ISP.
So if the job is going to be done by a few commercial outfits, who is
going to appoint them? ICANN? Recent squabbles do not fill me with much
confidence regarding that :-( .
So that leaves us with sites that do it for free. That might just about
work, but there is no certainty that it could be made to happen that way.
-- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl Email: chl@clw.cs.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5