From: Brad Templeton (brad@templetons.com)
Date: Mon Oct 15 2001 - 20:59:10 CDT
On Mon, Oct 15, 2001 at 06:15:17PM -0400, Henry Spencer wrote:
> The proper business of a Usenet authentication system is to verify that
> all the postings from (say) henry@spsystems.net come from the same
> possibly-not-a-single-human author. Nothing more.
To be strict, I was willing to go further, and say that the system should
confirm that if the posting claims to come from a user with a valid
e-mail address, it really comes from that user. Postings from users
that don't use a valid email address would not be subject to such a test.
Without that requirement (in the newsgroups in which requirements would
be enforced) it is possible for me to post as
henry%spsystems.net@mail.trends.ca, and replies would still go to you.
Most people have aliases or a "%" form that could be used to forge
postings from them. One might actually safely forbid % in addresses
these days, as its use is rare, but you can't really get past the
alias issue.
It is debatable if it is valuable to have systems detect that once
henry@spsystems.net signs a posting (with a certificate), this would store
that address as requiring signature.
On the positive side, this is a rule you can implement in every newsgroup,
not just special ones. But it requires a fairly large database be kept,
and new sites need to get a copy of it.
Of course, some people have just suggested (and this is all is done today)
that people sign their articles without any software checking the
signatures. This is what happens today, and the only benefit is that
after the fact, those who suspect forgery can manually checked. In
practice this seems to have close to zero utility.
A possible middle ground would be to develop a special rule for a group
of email addresses, and all postings from such addresses must be signed.
This could be applied over all newsgroups with no database needed.
For example, I might post as brad@sigreq.templetons.com, or
brad-sigreq@templetons.com, or one can even imagine a special domain
space (sigreq.com?) which hands out alias for use in USENET posting to
those who want such protection.
Unfortuntely in many cases it might be obvious what the real address is,
and people could use it to forge. Ideally designed you need a system
where it's easy to create the public address/alias, but not easy to guess the
real address by seeing it.
Which is why I've noted that blocking forgery is one of the harder problems,
definitely to be left until later in any authentication program.
However, I expect it will be a popular feature, because it can be very
effective against spam. In addition, though I defend the ability to post
anonymously on many topics, I also respect the right of people to create
online communities without anonymity, or where anonymous posters can be
clearly seen to be anonymous, which have advantages too. As long
as both are available we can protect privacy rights.