From: John Stanley (stanley@peak.org)
Date: Fri Jan 04 2002 - 17:17:49 CST
Seth Breidbart (sethb@panix.com):
>We clearly are not reading the same Usenet. In the one I read, a
>majority of the From: headers are correct.
And you know this precisely how?
Answer: you don't know it, but the contents look reasonable so you assume
they are correct. And the problem is not simply does the header look right
to a casual observer, but can a piece of software with even more limited
knowledge than you have be able to determine when it is NOT right.
>> When it cannot tell, it should do NOTHING, not make stuff up.
>It isn't "making stuff up" to include a header that it _knows_ to be
>correct.
Unfortunately, it does not know that the header is correct, and it is
guessing when it says that the one in the message is wrong. You might like
YOUR news software making guesses about who you are and what your real
identity is, but I do not.
>> A - Sender is going to be signed just like From,
>That would break the signature, so the poster shouldn't do it.
The poster is the only one who CAN sign the Sender, since he is the only
one who can intelligently insert the data in that header. Yes, you are
right, a news injector that screws with the Sender header will break the
signature, so it should be explicitely prohibited from doing so.
>It has equally much information about both _headers_,
Since you are clearly trying to say it HAS information about both, I'll
say "poppycock". Otherwise, you are right, it has none about either, and
should not play with either.
>It isn't a "guessing game" for it to insert information that it knows
>to be correct.
When it is guessing that what is there is wrong, yes sir bub it is a
guessing game.
>Then you don't believe that "sethb@panix.com" is a "valid \"real
>identity\"" for me?
Where did you get this ridiculous notion? For the purposes of argument, I
assume it is A real identity, but it is certainly not THE real identity,
and if you use any one of them when posting the injector should accept it.
Since it cannot tell what is NOT AN identity for you, it cannot properly
decide when a Sender header is needed, nor can it determine the proper
contents for that header.
>It's one of them; in particular, it's the (only) one that Panix cares
>about.
So? The standard does not specify that the only one Panix cares about is
what must appear in your From header.
>Please explain precisely how that differs from someone breaking in to
>my account, posting as me, and having whatever header you prefer (an
>encrypted Injector-Info, perhaps) pointing definitively to my account.
Because the From header is validated by the injector, so if it says it is
from you it must be. That's the logical extension of believing that
injectors can intelligently and correctly validate From headers.
>No, only the ones you want them to accept as being correct in your
> From: header such that you don't want them to insert a Sender: header
>with information they know to be correct.
Unfortunately for this argument, section 6.2 makes any Sender header they
insert incorrect when the From is valid, whether they think it is valid or
not.
>> Why shouldn't we prohibit an action that will break any future
>> possibility of signing articles?
>For an incredibly small value of "any future possibility".
If you want to call "every article" an incredibly small value, that's
your decision.
>>To say that it can
>> know who the Sender is when it cannot determine the poster is even
>> more ridiculous.
>It knows which account was validated to it in order for it to allow
>posting.
Unfortunately, it does not know all the valid identities for that
"account", if there is one (which is hardly true in every case, much less
most of them), so it cannot determine that the entry in the article is
incorrect. If it cannot do that, it cannot determine that a Sender header
is needed. To quote the problem:
This header SHOULD NOT appear in an article unless the sender is
different from the poster.
While that is not a MUST NOT, it certainly requires a very good reason to
violate it. "I don't know all the ids for this poster" is not sufficient.
Second, while the Sender in one place is specified as 'the mailbox of the
entity which actually sent this article', it is also 'appropriate for use
by automatic article posters'. So, I might validly put "John's Automated
News Poster <somewhere@example.com>" in the Sender header, and the
injector has no idea whether that is the correct value or not. And if I
don't have my automated program insert the Sender, then the only value the
injector would know is my mailbox, which is the absolute wrong thing to
put there.
>ANY header that the injector enforces "breaks signing" if the poster
>includes that header and signs it.
Yep. But this problem deals with two headers whose contents ONLY the
poster knows are correct or incorrect, and two headers which are meant to
identify the poster. It is ludicrous to say we cannot prohibit injectors
from changing From and Sender headers because they must be able to change
Injector-Info or whatever else the poster is not the source for.
>Why is breaking signing of Sender:
>so much worse than breaking signing of Injector-Info: ?
Because Injector-Info will not be available to the posting agent or poster
to be signed so it cannot be signed, while the only authoritative source
for Sender data is the poster and his posting agent.
>I don't believe that anybody was arguing for recommending it, but
>rather including a warning that some injectors will enforce its
>presence (and presumably, permitting that behavior).
That behaviour is broken and should be prohibited.
>I agree that Injector-Info is a better place to do it; however, that
>header might be included by a poster and signed,
And how does he get this header from the injector to know what it will
contain so it could be signed?
This is such a trivially stupid thing to have to argue about. Injectors
cannot determine when certain data is incorrect, they MUST NOT play with
it. It really is that simple.