Path: utzoo!attcan!utgpu!watmath!att!tut.cis.ohio-state.edu!gem.mps.ohio-state.edu!ginosko!uunet!mcvax!kth!sunic!ifi!naggum.uu.no!erik From: erik@naggum.uu.no (Erik T Naggum) Newsgroups: news.software.b Subject: Re: public key cryptography to eliminate/detect forged messages Message-ID: <89-221-0046@naggum.uu.no> Date: 9 Aug 89 22:04:34 GMT References: <1038@anise.acc.com> Reply-To: Erik T NaggumOrganization: Naggum Software & Communications, Oslo, Norway Lines: 38 Bcc: enag@ifi.uio.no A few immediate reactions to Paul's proposed authentication keys: - When posting, we have the message-id and the .postcrypt file. We can produce the Authorized-Key field from these. - When cancelling, we must have both parts to get the check, and we will reveal the .postcrypt contents, if it sent as the Cancel- Authorized field. Thus, the .postcrypt file needs to be changed after each cancel, right? - If we change the .postcrypt file, we need a mapping between .postcrypt contents and message-id, to be stored with the user for some time. Might as well invent something to be used for key and log that. - Or, we could send out the same value in the Cancel-Authorized as in the Authorized-Key field. Kinda defeats itself, right? I don't think it's a good idea to use information embedded in the article for authorization. However, is there anything else? Wouldn't it be better if we could trace where a message came from, and reject it if it had followed a different path than over the one we got it? (Duplicates are a problem here. We must then log every duplicate to an article and compare against, so this can also be defeated, but with a much narrower range.) Cancel messages which followed another path are dropped in the great bit bucket where the duplicates also go. Much overhead and not much gains, I suppose. Just an idea. Cheers, --Erik T Naggum +----+ +----+ , === | === / Naggum Software & Communications === | === / POB 1560 VIKA; 0118 OSLO; NORWAY; +472-717-822 +----+ +----+ "These are my opinions, and not those of my employees." PS: Do you trust your government?