On Mon, Apr 16, 2001 at 02:07:07PM -0700, Russ Allbery wrote:
Brad Templeton <brad(_at_)templetons(_dot_)com> writes:
Mulitpart/signed, while probably the best of the singature forms, is not
suitable to USENET. It only signs the body. Signing the body is not
just the least interesting thing we can do in USENET (99.9% of all
problems come from forged headers, not modification of bodies) it can
actually have negative value, if it leads people to think the article is
"signed" and thus can be trusted in ways that it actually can't.
This depends rather heavily on the context. What you say is true for some
applications (like control messages) and not true for others (like
official announcements from some entity or another that are posted to
Usenet). At the worst, what it means that one has to include the
important information that should be authenticated by the signature, such
as the date and the author, in the body of the message. Quite frequently
for things like announcements this is done as a matter of course anyway.
Yes, but manual verification of signatures is of dubious value. For
digital signature authentication to work properly, it is unfortunately
necessary that all messages in a class be signed, and that the presence
of an unsigned or improperly signed message be a major anomaly which gets
a fair bit of attention, or which is in fact forbidden.
If newsgroups allow both signed and unsigned messages, then it is trivial
to cause trouble by simply not signing your unsigned messages. If a given
user signs all his messages, it is not even sufficient for the software to
be able to warn that a user who normally signs all his messages has not
signed one, because the forger can play any number of tricks, including
simply posting a message "From: rrra(_at_)stanford(_dot_)edu" which looks like
you to
the non-careful eye, or worse "From:
rra(_at_)windlord(_dot_)stanford(_dot_)edu" which *is*
you but the software is unlikley to trap the warning that all messages
from this address should be signed. Or
rra%stanford(_dot_)edu(_at_)leland(_dot_)stanford(_dot_)edu
or many other forms which point to you.
Of course you're even assuming something outside the multipart/signed spec,
that the software is checking the From line at all, based on parsing it
somehow out of the body.
People have been able to sign article bodies for some time. It's not widely
used and it's really not very useful. It would be a poor intermediate
step because it's the wrong problem, and can lead to problems as well
as limited benefit.
All signing bodies does, without other checks, is allow me to prove after
the fact that I really sent a message. It doesn't prove that I _didn't_
send it, for I am free to post unsigned messages which I can later disclaim.
It also allows those who know my key to verify I sent a message, if they
check.
I've never been called upon to prove I sent a message. I don't recall ever
seeing this for anybody else either. I have seen cases where people wonder
if a person really sent a message, of course, but I've also seen a lot of
forgeries that were so blatantly obvious that nobody of the sort who would
check signatures would ever be fooled, and yet people are fooled.
What you need is a system that shows that messages are from who they say
they are from, and makes a big deal when they aren't. If 90% of messages
start having a "The sender of this message could not be authenticated"
then people simply start ignoring the warning, and it becomes of limited value.