From: Brad Templeton (brad@templetons.com)
Date: Mon Oct 15 2001 - 15:41:47 CDT
On Mon, Oct 15, 2001 at 01:29:04PM -0700, Benjamin Franz wrote:
> Then you had better step back and examine your desire for certified
> authentication in the larger context. Because it _fundamentally_ requires
> heavily impacting privacy for it to work as you want. If it is not nearly
> universally used - it doesn't work to prevent forgeries of email addresses
> in any significant way. If it _is_ universally used, everyone surrenders
> their privacy as a prerequisite for participation in Usenet.
No, on several counts. An "all articles are signed" system can be used
to cause a surrender of privacy but it's not inherent. It all depends on
how they are required to be signed.
It is possible to allow both certificates for a valid e-mail address
(which is then as non-anonymous as the email address) as well as ones for
non-valid email addresses (ending in .invalid or the domain of anybody
offering anonymous addresses in their domain)
This stops people from forging a valid email address, but leaves them free
to use any invalid one they like. They can not post a message that
causes replies to be sent directly to me.
Even if you insist only on a valid email address, that need not violate
your privacy. The granter of the valid email address might be an
anonymous remailer, or a service like the soon to be terminated ZKS Freedom,
or a hotmail mailbox, or who knows what.
Now, you may argue that some groups would want to disalow participation of
such mail addresses, and that's a valid debate. I think we should have
all kinds of groups -- groups that are all-identified, and groups with
pseudonyms, and anonymity and everything in between.
> Except that everytime we push you hard on this that a PK/Cert system
> simply _cannot_ prevent people from posting with your email address, you
> retreat to 'everyone needs to do it'. This schizophrenic position (that it
No, I have outlined (in lots of detail, in drafts written years ago and
still available) a spectrum of newsgroups:
1) Regular unmoderated groups like today
2) Old moderated groups (likely to go away)
3) Authenticated unmoderated groups -- all articles signed, but
a) All signers must be fully identified, or
b) Some signers identified, some pseudonums
c) Some identified, some pseudonyms, some anonymous
d) Any mixture of the above, any policy you want.
4) Authenticated moderated groups, all articles signed "approved"
by moderator.
In groups 1 and 2 you can't stop forgery. In groups of class 3 and 4
you can, though it's not a requirement.
> Sure. They're called the US postal and telephone systems. It took me, oh,
> a good 20 seconds to obtain your real world street address and phone
> number given nothing but your name and domain. I post <insert any
> guaranteed to piss off a lot of people immensely statement> to a billion
> news groups with your name, phone and address attached. The 0.1% of idiots
> who can't be bothered to figure out I mean for them to harass you by proxy
> do the rest. Hell - I can even make it easy by putting your address in
> the body with a 'mailto:' link (which neatly evades any PK requirements).
> If I'm _really_ nasty, I make it viral with some social engineering hook
> like claiming you are taking calls and letters on the topic and want the
> message to be passed to as many people as possible.
Indeed you can. My mistake to tust you with my real email address I guess.
(the public I normally only give my public email addresses)
I point out that it is possible to secure the From lines and Reply-to
lines in a new class of newsgroups. Some may find that has merit, some
not. Even for those for whom it has merit it does not prohibit
anonymity in those groups.
However, it can allow for a greater degree of control because there can
be accountability. If somebody spams from an authenticated email address,
there are ways to deal with it. If they spam from some remailer you can
come to terms with the remailer as to how they handle spam, and if they
don't fix it, killfile them. People have a right to be anonymous (or
identified) but others aren't forced to listen.
None of this is new, or, in most contexts controversial. A large fraction
of the network world comes in through online services. On these services,
posters have varying levels of privacy protection. You can't forge your
identity on their message boards, however, even if they fully protect
the anonymity of the identities they do assign people. The ability to
get an anonymous identity for yourself is independent of the ability to
use somebody else's.