From: "Robert A. Hayden" <hayden@krypton.mankato.msus.edu>
Date: Sun, 16 Jan 94 15:09:05 PST
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Subject: Re: PGP posting validation
In-Reply-To: <m0pLf52-0003DxC@brewmeister.xstablu.com>
Message-ID: <Pine.3.88.9401161724.A7721-0100000@krypton.mankato.msus.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 16 Jan 1994, DrZaphod wrote:

>   Robert A. Hayden [hayden@krypton.mankato.msus.edu] wrote:

Just to verify, I followed up to a previous posting, it wasn't mine 
originally :-)

> 
> > > Here's my two cents' worth- how about a filter on incoming mail to the list
> > > that performs these functions:
> > >   1) check the incoming post for a PGP signature
> > >   2) If a sig is found, check it against the list's public keyring
> 
> 	Hmm.. this would allow us to prove that THE LIST thinks he's
> who he says he is.. or who THE LIST tells us he is.. Now, I am not
> paranoid against THE LIST, but I suggest that THE PEOPLE should
> not filter THEIR thoughts.  What of censorship [on an aside, is there
> a censor apprenticeship?  Why the 'ship?']!?  If you must censor.. 
> censor your own messages with filters running on your own machine..
> maybe even publish your filter list to the net so we can all understand
> each other.  Remember that there will always be a percentage of noise
> in any public forum.. there is no average without these outliers.  
> For a group SO interested in RANDOM numbers, some people sure do want
> to organize everything.  TTFN.

Please don't take this as confrontational (ie, this is not a flame :-)

How would requiring that postings made to a list be verifyable be 
censorship?  What it does is verify that REAL people posted the message 
and that the person who's address is on the message is actually the person 
that posted it.

Now, granted, I suppose it could end up dumping some postings because 
they were forged, and that is sort of censoring.  But it isn't censoring 
based on content, but based on the fact that it appears to be a forgery.  
And by bouncing a message back to the person that posted it, you give 
them an opportunity to repost (this time signed) in case they forgot.

Also, as for the filter idea.  If some jerk is posting a message as 
appearing to come from schmuck@foo.bar.com, yes, I could add that address 
to my filter and delete it before i see it, but if the jerk starts 
posting as coming from idjit@bar.foo.com, I'd have to add another filter 
line.

By doing a check of the digital signature against the posters public key, 
you eliminate most instances of forgery.  Of course, if the poster's key 
is compromised, that's a different story.

____        Robert A. Hayden          <=> hayden@krypton.mankato.msus.edu
\  /__          -=-=-=-=-             <=>          -=-=-=-=-
 \/  /   Finger for Geek Code Info    <=> To flame me, log on to ICBMnet and
   \/  Finger for PGP 2.3a Public Key <=> target 44 09' 49" N x 93 59' 57" W 
- -=-=-=-=-=-=-=-
(GEEK CODE 1.0.1)  GAT d- -p+(---) c++(++++) l++ u++ e+/* m++(*)@ s-/++
		       n-(---) h+(*) f+ g+ w++ t++ r++ y+(*)


-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLTnJ/53BsrEqkf9NAQEUNgP/ZcToPpXmZ1LodtlMUi3xibxppUEAKv5H
czC97H08Lewk+E9Ss2eRjJWWfMsqTE7Yo1o7iAD+aB6dhrpSLNJ4XuTLD/Z8SWO2
OeWZTgSp1gwAbqrQBRyIkq0Ocu5GgI9bURzqoSfUQ6s1sPi8fSqICghG0vV5sXYd
IFqoEJQSTPc=
=sIKV
-----END PGP SIGNATURE-----