Path: utzoo!attcan!utgpu!watmath!att!tut.cis.ohio-state.edu!gem.mps.ohio-state.edu!ginosko!uunet!mcvax!kth!sunic!ifi!naggum.uu.no!erik
From: erik@naggum.uu.no (Erik T Naggum)
Newsgroups: news.software.b
Subject: Re: public key cryptography to eliminate/detect forged messages
Message-ID: <89-221-0046@naggum.uu.no>
Date: 9 Aug 89 22:04:34 GMT
References: <1038@anise.acc.com>
Reply-To: Erik T Naggum 
Organization: Naggum Software & Communications, Oslo, Norway
Lines: 38
Bcc: enag@ifi.uio.no

A few immediate reactions to Paul's proposed authentication keys:

- When posting, we have the message-id and the .postcrypt file.
  We can produce the Authorized-Key field from these.

- When cancelling, we must have both parts to get the check, and
  we will reveal the .postcrypt contents, if it sent as the Cancel-
  Authorized field.  Thus, the .postcrypt file needs to be changed
  after each cancel, right?

- If we change the .postcrypt file, we need a mapping between
  .postcrypt contents and message-id, to be stored with the user
  for some time.  Might as well invent something to be used for
  key and log that.

- Or, we could send out the same value in the Cancel-Authorized
  as in the Authorized-Key field.  Kinda defeats itself, right?

I don't think it's a good idea to use information embedded in the
article for authorization.  However, is there anything else?

Wouldn't it be better if we could trace where a message came from,
and reject it if it had followed a different path than over the one
we got it?  (Duplicates are a problem here.  We must then log every
duplicate to an article and compare against, so this can also be
defeated, but with a much narrower range.)  Cancel messages which
followed another path are dropped in the great bit bucket where the
duplicates also go.

Much overhead and not much gains, I suppose.  Just an idea.

Cheers,
--Erik T Naggum
 +----+     +----+  , 
===   |   ===   /   Naggum Software & Communications
===   |  ===   /    POB 1560 VIKA; 0118 OSLO; NORWAY; +472-717-822
 +----+  +----+	    "These are my opinions, and not those of my employees."
		PS: Do you trust your government?