From: Brad Templeton (brad@templetons.com)
Date: Fri Oct 12 2001 - 13:01:44 CDT
On Thu, Oct 11, 2001 at 04:32:17PM +0000, Charles Lindsey wrote:
> >CANCEL
>
> > o) If somebody forges an article in my name, I should be able to
> > cancel it quickly and easily.
> Challenge/response is the only solution I can see here.
Just to note, I was trying to move away from the "how" of these goals a
bit and into the "what" and "why" of them. The question is, is it worthwhile
to be able to cancel a forgery, and how important is it?
I happen to believe it's important because a forgery can be a way to use
USENET to harass a user or site, even DOS attack them. If somebody posts
"all hail the WTC hijackers" from my E-mail address and I'm getting flooded
with hate mail and death threats, I want a way to be rid of those forgeries
ASAP. Ideally, as discussed below, it would be nice if there were means
to stop them in the first place, but that can only be done in
moderated or authenticated groups, not on the broad net.
Likewise as a site admin, if somebody posts a massive spam using my
domain that is getting me lots of complaints, I want the power to kill
it right away.
So I'm leaving out the question of how (though I've already said which
solution I prefer) but more "is this something we want?" I welcome others
additions.
> > o) I should not be constrained from using the injector at my own ISP
>
> Eh?
USENET is not the internet, but nor should its design ignore the
internet. Almost all news is NNTP injected now. It may be worth
considering alternatives that make use of that and the fact that there
need be no physical relationship between a user and an injector from a
technical standpoint.
>
> > o) It must be possible to quickly transfer a delegated authority,
> > in the even the holder of it dies (or goes rogue.)
> Maybe
I view it as a concern today that if Dave Lawrence were pushed under
a bus, it would take a a long time before new groups could be created
in comp.* at sites running pgpverify. Fortunately for Dave, it's not a likely
event, but I still view dealing with this as a goal.
>
> > o) It must be possible for authorizations to expire and be renewed
> > without action by sysadmins.
> But reissuing an expired key is definitely for humans to do
Normally for good security, systems are designed with temporary keys
which are renewed automatically. This is designed to keep CRLs small,
otherwise they can grow without bound. So it's normally not desirable
to do it manually.
>
> > o) The authority structure should be capable of being hierarchical,
> > just like USENET, so that each hierarchy and sub-hierarchy can have
> > its own authorizations for all actions.
>
> Maybe
Curious as to other opinions. I have always felt that the hierarchy was
intended to be the administrative unit for USENET, starting with control
of feeding, then for policy and eventually for many other things.
>
> >FORGERY:
> > o) It should not be possible, at least in groups which are adopting
> > authentication regimens, for another to post an article with
> > my E-mail address in it as From or Reply-to.
>
> That is for the moderator to negotiate with his posters
No, I mean in more than just moderated newsgroups. BTW this goal is
one of the hardest, but I hope that most people agree it would be nice if
people could not forge articles in other's names.
>
> > o) It should not be possible for somebody unauthorized by a domain
> > owner to post an article with that domain in the From or Reply-to.
>
> Impossible
This one is also hard (but not impossible) but again the question is,
is it a worthwhile goal? As we know, many moderated groups now are
robo-moderated, and the daemon that moderates them accepts posts only
from those who previously responded to challenge/response. They don't
make it impossible to forge because they don't challenge each posting,
but they could do that, or they could demand each posting be signed with
a key worked out in the challenge/response, making it very difficult
to forge in these groups. Such groups are among the best on the net,
so the ablity to do this sort of stuff is something I listed as a goal.
As to the how, I'm trying to avoid asking that (and only mention it in
the context of alleged impossibilty) but mainly I am interested in the
why.
>
> > o) It should not be possible to alter an article in transit and have
> > it appear to still come from me.
>
> Unlikely; not an issue at the current time
Actually, that is sort of the original goal of digital signature technology,
to make documents unalterable in transit. And I agree, we haven't seen
evidence of significant attacks of this sort. This is one of those
"general security" goals that most authentication systems have. Because
while most of our talk has been about authenticating headers, many also
talk of authenticating bodies, which is what this goal means.
>
> > o) It should not be possible for another to block the posting of my
> > articles by posting 'block' articles upstream with identical
> > message-ids to mine.
>
> Ditto
Likewise, prevention of DOS attacks is a normal goal of good security
designs, so I list it here.
>
> >SPECIAL POWERS
> > o) It should be possible to allow trusted posters to bypass limits
> > placed on untrusted or anonymous posters, such as limits on
> > crossposting, article size, mime-types, posting volume, sendsys,
> > checkgroups
> Maybe
To explain further -- many have proposed or felt the need for limits on
crossposting both because spammers abuse it and because even ordinary
users overuse it. Such limits are proposed both sitewide, and in
certain newsgroups. There are already non-moderated newsgroups which have
crossposting cancelbots which mail you and say, "Pick group A or group A.B,
not both" because that is the policy.
That's all well and good, but there are times when policies like that
make sense for regular use but should not apply to all postings. So you
might want a way to have them apply to some postings and not others.
With cancelbots you can tune that in the cancelbot. If the rule is
enforced by sites (ie. no more than 5 crossposts on _any_ article) it
may make sense that certain people can violate that rule.
>
> > o) When a new hierarchy or sub-hierarchy is created, the person
> > authorized to newgroup should have that authority immediately.
>
> No. Trust has to be earned. Look at the shenanigins that went on when
> wales.* was formed.
Then how do you start a new hierarchy? Presuming that, with properly
installed signature check on newgroup, the only way to create a group is
to sign the newgroup. Surely it's good if this doesn't have to wait
for zillions of admins to install keys?
------------
Any goals to add?