From: Brad Templeton (brad@templetons.com)
Date: Wed Oct 10 2001 - 21:34:56 CDT
On Wed, Oct 10, 2001 at 11:46:04AM +0000, Charles Lindsey wrote:
> In <20011009114224.D8798@main.templetons.com> Brad Templeton <brad@templetons.com> writes:
>
> >For cancels from a _site_ on messages generated by that site, you don't need
> >the original message to authenticate the cancel. The reason is the
> >message-id contains the domain name. As such, any site can get a
> >certificate granting that site's admin the authorization to cancel any
> >message with a message-id naming that site.
>
> Ugh! I don't think I want to see any system that places too much reliance
> on the content of message-ids.
It doesn't rely on it, it is just a simple feature. I think you _could_
rely on it, if you wished to, in the sense that to avoid what was advanced
as a problem of not being able to verify a cancel without the original, you
could follow this rule.
But in fact I don't think it is that great a problem to have to wait for
the original on the very small (around 1000 we are told) number of "personal"
cancels that are issued.
However, if we are talking about a cancel by a site admin, the system
described does make a very efficient cancel, because you don't even have
to fetch the original article from disk. You just notice that the
message id contains a given domain, and the cancel is coming from the
owner of that domain.
>
> Likewise, I don't want to see any scheme that relies on having a separate
> key for every injecting site on Usenet. It will be quite enough to have
> separate keys for all hierarchy administrators, all reputable cancellers,
> and maybe all moderators, and maybe some trusted "advisors". Anything
> significantly more than that is going to be unmanageable.
Why? You keep asserting this but it's simply not the case. Certificates
form a tree. You can have one or a million and the complexity is the
same. The complexity lies only in the certificate language, and I would
be very surprised if any certificate language design didn't include
attributes for domain ownership, because injectors need that.
>
> But it is in any case unnecessary for injecting sites, because they are
> still in a position to add a Cancel-Lock.
They can only add a cancel lock if they injected the article with software
that adds cancel locks. After cancels become authenticated I expect a
lot of people and sites to notice a problem and want to cancel it and thus
consider upgrading them -- but they would be unable to cancel the old
articles. In fact, this might be the main reason people upgrade their
posting or injecting software!