CDRv2 discussion (was: Re: Al-qaeda.net deprecated)

[Riad S. Wahby]

"J.A. Terranson" <measl at mfn.org> wrote:
> 	Everyone sends to the node of their choice, the node sends to a 
> broadcast repeater that knows the source, and sends to everyone else, 
> after stipping any mailman specific things like tags, etc.  The down side 
> to this kind of dumb repeater is in the case of outages - the repeater 
> will not know (or would it? I need to look at this in postfix) what to 
> forward.

As far as I can tell this doesn't (yet) solve the problem of
whitelisting subscribers to other nodes.

However, we can add one more step and solve this: when a node receives
an email from the repeater whose sender is a member of the node's local
subscriber list, it bounces the message back to the repeater with an
added header saying, in effect, "I vouch for this sender."

Other nodes employing sender whitelisting would ignore the first email,
since its sender isn't locally whitelisted and it lacks the
aforementioned node-auth header, but would presumably forward the second
email, assuming they chose to trust the node that is vouching for the
sender. Nodes with no whitelisting policy could safely ignore the second
email by filtering out duplicate msgids or something similar.

I'm not totally in love with the master repeater scheme, though.
Notwithstanding my previous comments regarding the supposed threat model
behind the CDR's original conception, as long as we're paying the fixed
cost of setting up a new system we may as well get *some* additional
reliability out of it, right?

-=rsw