From: Charles Lindsey (chl@clw.cs.man.ac.uk)
Date: Thu Sep 27 2001 - 08:28:32 CDT
My posting regarding this some weeks back has not evoked much response,
except that we seem agreed that it is really a matter for an early
Security Extension to our standard. There was also a request by Clive
that we should at least decide what we intended to do about Cancel
messages before finalising our present draft.
So here is a paragraph I have written to go somewhere in chapter 7. If
that is agreeable to you, then I would propose to refer to it in all
those places where we have mentioned digital authentication without
specifying exactly how it is to be done.
0.1. Digital Signature of Headers
It is most desirable that newsgroup control headers be authenticated
by incorporating them within some digital signature scheme that
encompasses other headers closely associated with them (including at
least the Approved, Message-ID and Date headers). At the time of
writing, this is usually done by means of a protocol known as
"PGPverify" ([PGPVERIFY]), and continued usage of this is encouraged
at least as an interim measure.
However, PGPverify is not considered suitable for standardization in
its present form, for various technical reasons. It is therefore
intended that an early extension to this standard will provide a
robust and general purpose digital authentication mechanism with
applicability to all situations requiring protection against
malicious use of, or interference with, headers. That extension will
also address other Netnews security issues.
[PGPVERIFY] David Lawrence,
<ftp://ftp.isc.org/pub/pgpcontrol/README.html>.
As for Clive's suggestion that we should now discuss cancels a little
more, I entirely agree. The simplest way to implement multiple cancels
would be to allow multiple message-ids in a single cancel message
(indeed Henry already implemented that in CNews in a fit of enthusiasm)
and it would hardly require rocket science to incorporate it into other
serving agents.
So here is a first question. What would INN do if it received such a
cancel? Would it barf, or would it treat it as a cancel for the first
message-id (or might it even cancel the lot)?
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl@clw.cs.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5