In <199903252203(_dot_)RAA22802(_at_)black-ice(_dot_)cc(_dot_)vt(_dot_)edu>
Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu writes:
--==_Exmh_1716240888P
Content-Type: text/plain; charset=us-ascii
On Thu, 25 Mar 1999 11:30:44 PST, Brad Templeton said:
On Thu, Mar 25, 1999 at 12:51:19AM -0800, Chris Newman wrote:
(D) If signed headers are done only in netnews, they will be removed by
the news->mail gateway, tunnelled through (1), or they likely won't
work in the gateway case at all.
No. Ideally, signed headers, originally made in news, will pass through
gateways of both kinds and still be verifiable. That is what my Draft set
out to make possible. Of course, there is bound to be some gateway
somewhere that munges to such an extent that it doesn't work, but it is
hoped that these will be in the minority
They probably won't be removed. If they are kept the message can be
re-gatewayed into news so long as it is intact. If it has been modified
the re-gateway will fail or need to re-sign with its own key.
OK.. I'll bite. What does the fact that a piece of news is signed by
the re-entry gateway tell me? Somewhere near zero, since the gateway
is in no position to verify that nothing untoward happened. In fact,
if the gateway is signing it, then we *know* the original signature
is broken - if it was intact the gateway wouldn't need to sign it.
It depends on the what the gateway received. If it received a set of
signed headers and was able to verify the signature, but it intends now to
munge the headers before passing them on (to suit its own obscure site
policies), then it should state that it had verified the headers
(including exactly which ones) and sign its statement, and also sign the
complete thing again (well, there are various ways to do it, but see a
rather similar example in my Draft). Then everybody can see that the
originally signed article is still intact (assuming they believe what the
gateway has certified). There are enough hooks in my Draft to enable all
this to be done (whether gateways go to the trouble of using them all is
another matter, of course).
So what this *really* says is "If it has been modified, the re-gateway
will fail or need to be flagged as corrupted/modified". A new signature
isn't needed - only a header added ('X-mangled-in-transit: maybe?). This
seems to be the only header field that needs to be signed by the gateway,
as nothing else is really trustable at that point.
If the thing did not verify correctly when it arrived at the gateway,
OTOH, then it would probably be better for the gateway to drop it. And
even if it passes it on, there is not much point in signing anything,
though it could assert, under its own signature, that the verification had
failed (yes, there is even a way to say that in my Draft).
But nobody should actually be removing any of these headers (unless the
article is dropped entirely, of course). If funny things have been
happening en route, then let all the evidence be preserved, so that people
can make up their own minds what to believe.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email: chl(_at_)clw(_dot_)cs(_dot_)man(_dot_)ac(_dot_)uk Web:
http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5