From: “Robert A. Hayden” <hayden@krypton.mankato.msus.edu>
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Message Hash: cb6804edf59a6c4deb820c5bd5d77b92d8ae81099148efea2ef32374f437da2c
Message ID: <Pine.3.88.9401160001.A24751-0100000@krypton.mankato.msus.edu>
Reply To: <9401160545.AA04896@toad.com>
UTC Datetime: 1994-01-16 06:45:53 UTC
Raw Date: Sat, 15 Jan 94 22:45:53 PST
From: "Robert A. Hayden" <hayden@krypton.mankato.msus.edu>
Date: Sat, 15 Jan 94 22:45:53 PST
To: Cypherpunks Mailing List <cypherpunks@toad.com>
Subject: Re: PGP posting validation
In-Reply-To: <9401160545.AA04896@toad.com>
Message-ID: <Pine.3.88.9401160001.A24751-0100000@krypton.mankato.msus.edu>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 15 Jan 1994, Philippe Nave wrote:
> Here's my two cents' worth- how about a filter on incoming mail to the list
> that performs these functions:
> 1) check the incoming post for a PGP signature
> 2) If a sig is found, check it against the list's public keyring
2a) Make sure that as part of the sign up procedure, the
subscriber's public key is also provided.
> 3) If the key matches, pop a line like "X-PGP-Keycheck: user so-and-so"
> into the posting
> 4) If the incoming message already has a "X-PGP-Keycheck:" line in it,
> drop that line off - somebody's trying to spoof us
also:
4a) Make sure the line pointing out that it was validated is part
of the message, and not the headers, because some newreaders
have a nasty habit of dumping headers that aren't recognized,
or making them very difficult to find (you have to
remember to switch to full headers for pine, for example.)
I would think that a line added to the end of the message
as a trailer woudl work dandilly.
5) If there is no PGP signature, the message is bounced back to
the originating address. Yes, this might bounce to a
non-existant one, but if joe@moron.com is trying to fake a
message from joe@foo.com, joe@foo.com would find out
about it then. Also, make sure the reply-to: header is
set so that messages bouncing due to a non-existant address
do lead to a loop.
> For those 'punks who can/will sign their messages, this would provide a simple
> 'reputation check' visible to all recipients. For others, postings would flow
> through the system exactly like they do today, vulnerable to spoofs and so on.
Of course, there is the question of the reliability of the automated
reposter... :-)
> My main concern is that we get a filter online that is secure but simple.
> Programmers (myself included) will want to launch off and devise some
> horrendously complex PGP empire right away, but it would probably be smarter
> to start small.
Keep it simple and functional, IMHO.
____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu
\ /__ -=-=-=-=- <=> -=-=-=-=-
\/ / Finger for Geek Code Info <=> To flame me, log on to ICBMnet and
\/ Finger for PGP 2.3a Public Key <=> target 44 09' 49" N x 93 59' 57" W
- -=-=-=-=-=-=-=-
(GEEK CODE 1.0.1) GAT d- -p+(---) c++(++++) l++ u++ e+/* m++(*)@ s-/++
n-(---) h+(*) f+ g+ w++ t++ r++ y+(*)
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQCVAgUBLTjjG53BsrEqkf9NAQFDlQP+OeDUULpjOMJUxa7dRzf9se5SQL9Eln+f
ZYh8HN7U9phUdroD6n2ta3b6v+hYkNtI6n2DGFtjOLtygxbwH1M8JAkZAFin78zC
Kz8kkRolAxaHTjgRjFRXcyWPxUopDO57+Q+HYcOKJL3AwJa30cDvDmBjvGcXeXSs
UQFQxM4VHf0=
=5NNa
-----END PGP SIGNATURE-----
Return to January 1994
Return to ““Robert A. Hayden” <hayden@krypton.mankato.msus.edu>”