On Tue, 16 Mar 1999, Jean-Francois Stenuit wrote:
On Tue, 16 Mar 1999, Charles Lindsey wrote:
There is a strongly perceived need within the Usenet-Format group for
a reliable method for the digital signing of headers. It would, on the
face of it, be foolish to devise a mechanism applicable to news that
would not work also for email, even though that does indeed make the
mechanism more complex.
IMHO, there should be two different schemes for NNTP and SMTP messages,
because the reason for signing the header is different.
For instance, we must be able to put multiple signatures on a usenet
message (one from the author, another from the administrator of the server
used for posting the article, and another for the moderator) because this
signing will be used mainly for cancelling an article. As one does not
usually cancel a mail message, this is not required for mail.
No. There are more lightweight protocols for cancels like Cancel Locks
which don't need an public/private infrastructure, but that also can't be
used as an authentification scheme.
Signatures in news are mainly used for moderation and control messages
(eg. checkgroups) and there is IMHO no great difference to mail messages.
For mail applications, I don't see the point in signing the headers, as
long as the body is signed. But I may have missed a point, since I don't
follow the ietf-822 discussions.
It may be relevant to block re-injection of a mail message, especially if
the mail is to a mail2news-Gateway or performs some other action
automatically.
Here is also a difference, the need is urgent for usenet (because of the
ongoing cancel wars and other unauthenticated spam) but less urgent for
mail, as mail servers around the globe are becoming less prone to spam
propagation.
To stopp cancel wars just use Cancel Locks. Reference implementation is
available by Fluffy.
I find that having a single mailing list for "message format" is a good
idea.
Yes.
Andi