geoff@zoo.toronto.edu (Geoffrey Collyer) (02/05/91)
David C Lawrence: >C News does no security checking whatsoever on cancel messages, >under the theory that they are so easy to forge anyway. While the >latter is true, I do believe some measure of checking is good. It's >like putting a fence up around your yard; sure it won't stop >determined people from crossing it, but it will stop the idle >strollers from stomping on through. This issue pops up periodically; I guess Henry and I are going to have to write a FAQ message. The real reasons that relaynews doesn't attempt validation of cancels are that the necessary credentials are easy to forge and that attempts in the past to validate cancels have prevented *legitimate* cancels from taking effect because the news posting software that generated the original From: header and the news reading software that generated the cancel message couldn't agree on the exact spelling of the From: header, which is what B rnews checked on cancels. There are lots of reasons for this, including changes in the news reader between posting and cancellation, intermediate (old) rnews's stripping full names in the From: comment field, and news readers generating their own From: headers differently than inews does. After having trouble cancelling my own articles in the past, I decided to err on the side of making cancels useful. One can argue that it would just take a wee bit of AI to match the two From: headers, but I prefer to keep AI out of my programs. On reflection, I think A News got this right: there were no control messages, largely due to lack of authentication. Unless we can come up with a good but dirt cheap (and I *mean* dirt cheap; roughly, a few milliseconds on a Sun 3/50 per message) authentication scheme using encryption, I'm strongly tempted to remove all automatic processing of destructive control messages. After all, one can always post a follow up saying ``Sorry, everyone. Ignore that last message. I was on drugs at the time.'', and comp.mail.maps can be unbundled, processed and expired within 24 hours. The only real problem I see is Clarinet, which relies heavily on cancels or Supersedes: to purge out-of-date news stories and keep disk consumption down. So, what's the state of the art in reversible public-key unlicensed unpatented cryptosystems? Still dismal? :-) -- Geoff Collyer utzoo!geoff, zoo.toronto.edu!geoff