Brad Templeton <brad(_at_)templetons(_dot_)com> writes:
Mulitpart/signed, while probably the best of the singature forms, is not
suitable to USENET. It only signs the body. Signing the body is not
just the least interesting thing we can do in USENET (99.9% of all
problems come from forged headers, not modification of bodies) it can
actually have negative value, if it leads people to think the article is
"signed" and thus can be trusted in ways that it actually can't.
This depends rather heavily on the context. What you say is true for some
applications (like control messages) and not true for others (like
official announcements from some entity or another that are posted to
Usenet). At the worst, what it means that one has to include the
important information that should be authenticated by the signature, such
as the date and the author, in the body of the message. Quite frequently
for things like announcements this is done as a matter of course anyway.
--
Russ Allbery (rra(_at_)stanford(_dot_)edu)
<http://www.eyrie.org/~eagle/>