From: Brad Templeton (brad@templetons.com)
Date: Wed Oct 10 2001 - 16:06:06 CDT
In order to clear up why I feel a certificate based system is the only one
that works and scales, let me outline some things I think we want to
be able to do, and then challenge people who propose alternatives to
deal with these questions and goals. Some of them overlap a bit, of course.
Tell us which of these goals is not valid or how they can be addressed
under your proposals.
Goals:
CANCEL
o) If somebody forges an article in my name, I should be able to
cancel it quickly and easily.
o) If somebody posts an article from a site, the site admin should be
able to cancel it.
o) If somebody forges a spam attack appearing to come from my site,
I should be able to cancel it.
o) If I was not running a brand-new newsreader/poster when I posted
an article, I should still be able to cancel it
o) As above, without having to install a new newsreader/poster to do
the cancel
o) It's nice if most cancels can mostly be acted on without needing to get
the original first, both because it may not have arrived and to
avoid the disk I/O of fetching it if it has.
o) The amount of material added to the net to support cancels should be
minimized.
o) It should be possible to authorize 3rd parties to issue cancels in
various subsets of the net. This includes netwide powers for
spam cancellers, and the ablity to cancel just in a specific
newsgroup (allowing a group that's not pre-moderated, but
post-moderated, which is in fact what most of the world uses and
what some would like on USENET.)
GENERAL:
o) I should not be constrained from using the injector at my own ISP
o) As I may use my key for other puroses, I should never have to
disclose it to somebody to delegate or transfer an authority.
o) It must be possible to immediately revoke a delegated authority
when the key has been compromised or the holder of the key has
gone rogue.
o) It must be possible to quickly transfer a delegated authority,
in the even the holder of it dies (or goes rogue.)
o) Where possible, the benefits of added security should accrue to all
users of the net, not simply those that have upgraded to the latest
software. Where possible, if the system can be made to work with
legacy software, this is beneficial.
o) The system should be generally designed and extensible, to allow
new authentications to be granted, and any authentication to be
delegated.
o) It must be possible for authorizations to expire and be renewed
without action by sysadmins.
o) No single party or nation should get de facto or de jure control
of general authorizations for USENET. There should not be a list
of keys maintained by a single individual with root control.
o) It must require a minimum of active maintenance by local news admins,
if they so choose (and they will so choose!)
o) The authority structure should be capable of being hierarchical,
just like USENET, so that each hierarchy and sub-hierarchy can have
its own authorizations for all actions.
FORGERY:
o) It should not be possible, at least in groups which are adopting
authentication regimens, for another to post an article with
my E-mail address in it as From or Reply-to.
o) It should not be possible for somebody unauthorized by a domain
owner to post an article with that domain in the From or Reply-to.
o) It should not be possible to alter an article in transit and have
it appear to still come from me.
o) It should not be possible for another to block the posting of my
articles by posting 'block' articles upstream with identical
message-ids to mine.
SPECIAL POWERS
o) It should be possible to allow trusted posters to bypass limits
placed on untrusted or anonymous posters, such as limits on
crossposting, article size, mime-types, posting volume, sendsys,
checkgroups
o) Only trusted parties should be able to newgroup/rmgroup/etc.
o) When a new hierarchy or sub-hierarchy is created, the person
authorized to newgroup should have that authority immediately.
o) Only trusted parties should be able to do special named articles,
topic lists etc. if they are implemented.
MODERATED GROUPS:
o) Only the moderator(s) or those authorized by them should be able
to post in a moderated group
o) The moderator should be able to cancel any post to a moderated group.
o) The moderator should be able to delegate the ability to post drectly in
a moderated group. (As many robomoderated groups do today) And
to delegate sub-moderators
o) When a new moderated group is created, the moderator's key should
be immediately accepted anywhere that the group is being accepted.
Note: When I indicate something must happen quickly or immediately, this
is to say, without necessitating manual configuration by sysadmins.
I have solutions to _all_ the above problems.