Re: PGP posting validation
Just to throw in my two cents worth: How about this: Subscribes to the list (or anyone) can register their public keys with a special keyserver that is part of the mailing list software. Then, on any posts made thereafter, signed with that public key, the list software would append a header identifying the sender, their public key ID, and their key fingerprint/md5-hash. To prevent spoofing by registering false key IDs, the system could keep a reputation on each key, and report the number of days that key had been registered, and the number of posts. For example, a typical header might look like: From: John Doe <jd@net.com> Subject: Whatever Date: Tue, 27 May 1996 02:19:35 GMT PGP-Authenticated-As: 1296A5/1F5A6792E5609CD7A932B1C82CAE934F; John Doe PGP-Key-Reputation: 372d / 197p Assuming that John Doe had been on the list over a year (372 days) and had made 197 posts. If suddenly a post appeared: From: John Doe <jd@net.com> Subject: Detweiler Date: Tue, 29 May 1996 18:23:56 GMT PGP-Authentication: Unknown Key It would indicate that it was signed with a key that the system didn't have in its database; an obvious forgery. Hovever if the spoofer was able to register a false public key with the server, with John Doe's name on it: From: John Doe <jd@net.com> Subject: SQUISH Date: Tue, 29 May 1996 23:39:47 GMT PGP-Authenticated-As: 1296A5/6A1DFF5A49D56029B725E05609C0D7A9; John Doe PGP-Key-Reputation: 0d / 0p It would still be an obvious forgery, because the key had no reputation. Anonymous users might like this feature, because they could identify their posts without exposing their email addresses. I don't think it's really necessary to block posts from people who don't sign them, there are circumstances where it's not feasible to do so, but perhaps a warning could be added such as: PGP-Authentication: None
participants (1)
-
Matthew J Ghio