From: Charles Lindsey (chl@clw.cs.man.ac.uk)
Date: Wed Oct 10 2001 - 06:46:04 CDT
In <20011009114224.D8798@main.templetons.com> Brad Templeton <brad@templetons.com> writes:
>For cancels from a _site_ on messages generated by that site, you don't need
>the original message to authenticate the cancel. The reason is the
>message-id contains the domain name. As such, any site can get a
>certificate granting that site's admin the authorization to cancel any
>message with a message-id naming that site.
Ugh! I don't think I want to see any system that places too much reliance
on the content of message-ids.
Likewise, I don't want to see any scheme that relies on having a separate
key for every injecting site on Usenet. It will be quite enough to have
separate keys for all hierarchy administrators, all reputable cancellers,
and maybe all moderators, and maybe some trusted "advisors". Anything
significantly more than that is going to be unmanageable.
But it is in any case unnecessary for injecting sites, because they are
still in a position to add a Cancel-Lock.
>This in turn would become available to most users, because the site's
>injector (same one that put that message-id on) would, upon receiving
>the unsigned cancel, authenticate the user in whatever way it knows locally
>and sign the cancel for the user.
Same objection as above.
-- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl Email: chl@clw.cs.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5