From: Theodore Ts'o <tytso@athena.mit.edu>

Date: Tue, 2 Mar 93 14:15:15 EST From: pmetzger@shearson.com (Perry E. Metzger)

Of course there are ways -- and they need not be so drastic. You could, for instance, simply prevent non-subscribers from posting to your list, and use public key to verify identities. This would allow you to swiftly stop abuse. I've already noted this twice. You've claimed this is impractical, but the tools to do this, AND WITHOUT PATENT PROBLEMS, already exist and would be cheap to implement.

If they are so cheap to implement them, could someone please implement them FOR THE USENET GROUPS? (Where you don't have a concept of subscribers or non-subscribers?)

I don't have time Ted, I have really busy schedule. But, this is the thumbnail of what you want. 1. Build a decent tool to handle the public key sigs on news format message files and tell you if the file sender corresponds with the signature -- a variant on RIPEM (more like a half hour hack) should be able to do this. 2. Change the shell scripts handling incoming control messages inside the news software to check signatures against a trusted list. 3. Set some scripts handling incoming moderated newsgroups that check the signature against a trusted list. 4. Build a tool that checks that incoming signed messages correspond with signatures stored in the signature database for the site, and somehow flag non-authenticated or otherwise bogus signed messages. Add a header line to give out this info so rn and other newsreaders can nuke non-authenticated messages or what have you. Sounds like this begins to give you a large fraction of what you want without changing too much, and I bet its a few days of hacking. Its primitive, but it seems like the right thing for a start and you can take it from there. I specify keeping signatures on your news server and checking them there to keep users from needing special new newsreaders and to keep them from needing to run the signature code over and over again; presumably they can trust their sysadmin and if they cant they can get new tools so they don't have to.

I here lots of *talk* of how easy it is to do this, or how easy it is to do that. If it's so easy, why doesn't someone prove it to the rest of us by actually doing it. I hate to bring the Real World down upon you guys, but talk is cheap; code sometimes isn't.

As I've said, I don't have time myself, but the above is really easy for someone with a good knowledge of C News, RIPEM and the like. The hardest part is handling a key database and doing key management since RIPEM has no such provisions, but you can likely fix that. Then there is the issue of getting RSA to permit your hacks to RIPEM to get out, which I suspect they would. Okay, maybe not a few days, but certainly not much of a challenge here and you have the start of the system we were talking about. Among other things, it fixes forged control messages (presumably you would leave cancel messages alone, but it could let you authenticate newgroup and delgroups, which is a big problem), forged moderated messages, and give you the start of what you would need to start ignoring unsigned messages or messages from users you don't like on newsgroups. The stuff for non-moderated newsgroups would be primitive, but it would be a start and would let users have the option of deciding what they want to do with non-authenticated messages. Perry