From: Clive D.W. Feather (clive@demon.net)
Date: Mon Feb 04 2002 - 04:39:01 CST
John Stanley said:
>> You are assuming that "entity" means "human being".
>
> Yes, I guess I use the standard definition.
Whose standard ? A couple of dictionary checks give me:
entity
* Something that exists as a particular and discrete unit: Persons and
corporations are equivalent entities under the law.
* The fact of existence; being.
* The existence of something considered apart from its properties.
human being
* any living or extinct member of the family Hominidae.
which clearly differ.
> When I am the entity that is
> posting an article, I certainly am a human being. When you post, do you
> lose your membership in the human race?
I thought it was you who said that:
> and the flawed logic that "A means B is the same as B means A".
Obviously I was wrong and you don't understand logic.
> Our draft also seems to make this error as well, since it says the sender
> is "the person or software...", which includes "human being" as part of
> that definition. Or are there "persons" who are not "human beings"?
Yes.
>> Everyone else seems to think that it means "operator of a mailbox,
>> instantiation of the ability to authenticate, or some related concept".
> No, they seem not to be using that definition.
[...]
In case you failed to comprehend my previous message, I do *not* disagree
that the definitions need changing. However, I *do* disagree that "entity",
in the context of this document, means "a specific human being no matter
how they designate themself".
> The definition that is being used by those who claim that the same person
> who posts using two different addresses is two different entities must
> depend on the one thing that changes between articles: the actual email
> address.
Fine, so that's a starting point for a better definition.
>> And in this example the Sender "entity" is not the person typing, but the
>> entity whose facilities are being used.
> This claim is clearly contradicted by the plain-text definition of
> "sender" as found in our own draft. The "sender" is the person or software
> responsible for the operation of the posting agent.
"responsible for" is not the same as "using".
> When I loan my
> terminal to someone else, I make them responsible.
But the people with a lien over your actions might not agree. Speaking as
someone who has run an ISP abuse department, I can tell you that we
wouldn't give that argument as much as a millisecond's consideration. Nor
would a court.
>> The only other issue is that of signing.
> That would be sufficient to warrant a prohibition; as it is, it is icing
> on the cake.
No.
>> The answer there is to ensure that
>> any signing process indicates which headers have been signed by whom, so
>> that it is clear that an added Sender is not part of the original
>> signature.
> No, the answer is to prohibit the injector from playing with headers that
> only the poster can insert with any knowledge, and which would cause the
> verification of a signature to fail. What difference is there between a
> forger posting an allegedly signed article that fails to verify because
> the signature is invalid, and the real McCoy posting a validly signed
> article that fails to verify because the injector screwed with a header?
You have completely failed to appreciate my point.
Firstly, I'm not condoning the *modification* of headers.
Secondly, if the signature says that it includes a list of headers which
don't include the (at that point nonexistent) Sender, then any signature
check will merely indicate that Sender was unsigned. That is *not* the same
as "failed to verify", since the added-later Sender won't be included in
the checking process.
> All the forger has to do is say the Sender was included in the signature
> and he can claim that the failure to verify is due to the injector; there
> is nothing the real McCoy can do to get his article to verify.
Rubbish. There is a difference between "validation failed" and "validation
succeeded but some headers not part of the check".
-- Clive D.W. Feather | Work: <clive@demon.net> | Tel: +44 20 8371 1138 Internet Expert | Home: <clive@davros.org> | Fax: +44 870 051 9937 Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646 Thus plc | | NOTE: fax number change