Lewis McCarthy (lmccarth@cs.umass.edu) wrote * [various newsgroups removed from the distribution] * Eli the Bearded writes: * > help prevent the moderator or a third party from inventing * > posts from people. (If someone always posts from the Lucifer remailer * > how can you tell real posts from that person from fakes? They all * > look a like.) * * Three words: "public key cryptography" * * Note that unsigned Usenet articles can be forged by anyone, * regardless of whether or not they're sent through an anonymizer. * Unsigned articles only give the illusion of authentication. At * least with anonymized articles, most people realize more readily * that there's no real proof of identity present (as you noted above). That is correct. A moderated newsgroup can be set up such that messages coming from certain addresses can be required to be digitally signed. This requirement, of course, does not have to apply to all users and can be done on a voluntary basis. Anonymous users can also enjoy the benefits of authentication, if they submit their public keys to the moderator (with the key address set to something like space@alien.nowhere) and request that all messages coming with the address "space@alien.nowhere" be authenticated. This is a very positive aspect of moderated groups, since anonymous posters can enjoy both anonymity and reputation. The other concern here seems to be forgers who forge valid addresses of existing users. Again, a moderated group has a great flexibility to introduce SOME authentication without even the need for using public key cryptography. The moderator can set up a password-based system. Anyone can request a password sent to them by sending an email to password@moderation.site.com. A unique password will be generated, stored and sent back to the requestor. The address that had been assigned the password gets on the "watch list" and all article submissions from that address would be checked for presence of the password. Of course, a password needs to be wiped out from the message priot to teh approval. As long as email remains private (ie, there is no man in the middle or any sniffers acting), this scheme is secure. Again, it may be either purely voluntary or mandatory. Of course, anonymous users need special treatment since they are unable to receive email. Such users may continue to use PGP. igor