ietf-822
[Top] [All Lists]

Re: Draft for signed headers

1999-03-18 23:37:39
On Thu, Mar 18, 1999 at 02:57:33PM -0800, Russ Allbery wrote:
Charles Lindsey <chl(_at_)clw(_dot_)cs(_dot_)man(_dot_)ac(_dot_)uk> writes:
Brad Templeton <brad(_at_)templetons(_dot_)com> writes:
a) Used PGP, a then-proprietary external program

But which nobody had any difficulty using

Um, pardon?  That's rather far from true.  There are several news sites
that have simply turned off control message processing altogether because
they're unwilling to pay a couple grand to NAI for a commercial PGP
license.  PGP also has one of the most arcane and idiotic interfaces that

Actually, the theory is that openpgp clears some of this up but it
really doesn't make it a wise choice for USENET.

OpenPGP is a generalized system for encoding signatures and limited
certificates using a variety of algorithms in a packed-bits format.
It's certificate system, as far as I understand it, both has no particular
functions to certify USENET attributes, and is based on the web of trust
concept, which while interesting for some attributes, does not seem likely
to work for USENET signing and certifying.

To store signatures no encoding method of significance is needed.  A
signature is just a number.  You encode it in base64.  It needs no other
fields or attributes.  (Though just to be safe, the signed header, like
all headers, should be in MIME extensible header style with fieldname
tagged attributes.)

A likely choice for signature is DSA, which means the signature is a
320 bit number (two 160 bit numbers) to be encoded in 53 or 54 base6
characters, depending on if you view it as 2 numbers or one.

That's about it for the signature.  All the real complexity is in
the certificates.  Certificates are simply a short digitally signed
statement that says, "I certify that key X has attributes Y", signed
with the certifier's key.   The attributes are:
        a) Key-related attributes like key name
        b) Certificate attributes like expiration date and trust level
        c) USENET attributes like "Can use E-mail address foo" or
           "Can newgroup in comp.*" or "Can cancel message-ids that
           match <(_dot_)*(_at_)templetons(_dot_)com>" and so on.   


I have a list of the things we might want to certify on USENET on my web
site at www.templetons.com/usenet-format

These needs don't really tie in well with openPGP.

The certificates need a language of some sort to express the attributes.
I had designed one, but am not particularly wedded to it. Any language
that says the things we need to say in a compact, extensible, easy to
handle fashion is fine by me.   SPKI is one candidate others are working
on, though it has a few minor problems we may want to look into from my
basic examination.

<Prev in Thread] Current Thread [Next in Thread>