-----BEGIN PGP SIGNED MESSAGE----- On Sat, 15 Jan 1994, Philippe Nave wrote:
Here's my two cents' worth- how about a filter on incoming mail to the list that performs these functions: 1) check the incoming post for a PGP signature 2) If a sig is found, check it against the list's public keyring
2a) Make sure that as part of the sign up procedure, the subscriber's public key is also provided.
3) If the key matches, pop a line like "X-PGP-Keycheck: user so-and-so" into the posting 4) If the incoming message already has a "X-PGP-Keycheck:" line in it, drop that line off - somebody's trying to spoof us
also: 4a) Make sure the line pointing out that it was validated is part of the message, and not the headers, because some newreaders have a nasty habit of dumping headers that aren't recognized, or making them very difficult to find (you have to remember to switch to full headers for pine, for example.) I would think that a line added to the end of the message as a trailer woudl work dandilly. 5) If there is no PGP signature, the message is bounced back to the originating address. Yes, this might bounce to a non-existant one, but if joe@moron.com is trying to fake a message from joe@foo.com, joe@foo.com would find out about it then. Also, make sure the reply-to: header is set so that messages bouncing due to a non-existant address do lead to a loop.
For those 'punks who can/will sign their messages, this would provide a simple 'reputation check' visible to all recipients. For others, postings would flow through the system exactly like they do today, vulnerable to spoofs and so on.
Of course, there is the question of the reliability of the automated reposter... :-)
My main concern is that we get a filter online that is secure but simple. Programmers (myself included) will want to launch off and devise some horrendously complex PGP empire right away, but it would probably be smarter to start small.
Keep it simple and functional, IMHO. ____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> To flame me, log on to ICBMnet and \/ Finger for PGP 2.3a Public Key <=> target 44 09' 49" N x 93 59' 57" W - -=-=-=-=-=-=-=- (GEEK CODE 1.0.1) GAT d- -p+(---) c++(++++) l++ u++ e+/* m++(*)@ s-/++ n-(---) h+(*) f+ g+ w++ t++ r++ y+(*) -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLTjjG53BsrEqkf9NAQFDlQP+OeDUULpjOMJUxa7dRzf9se5SQL9Eln+f ZYh8HN7U9phUdroD6n2ta3b6v+hYkNtI6n2DGFtjOLtygxbwH1M8JAkZAFin78zC Kz8kkRolAxaHTjgRjFRXcyWPxUopDO57+Q+HYcOKJL3AwJa30cDvDmBjvGcXeXSs UQFQxM4VHf0= =5NNa -----END PGP SIGNATURE-----