[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PGP posting validation



-----BEGIN PGP SIGNED MESSAGE-----

As I recall, the PGP-filtered mail list idea was proposed to the list a while
back and semi-informally put to a vote. At the time, I 'voted' against the 
idea, because I did not perceive the spoofing problem to be serious enough
to warrant that sort of response. Times change, I guess - it's easy to filter
certain names and anon ids out of my mail, but more complex spoofs involving
SMTP ports and so on call for more involved filtering procedures.

Here's my two cents' worth- how about a filter on incoming mail to the list
that performs these functions:
  1) check the incoming post for a PGP signature
  2) If a sig is found, check it against the list's public keyring
  3) If the key matches, pop a line like "X-PGP-Keycheck: user so-and-so"
     into the posting
  4) If the incoming message already has a "X-PGP-Keycheck:" line in it, 
     drop that line off - somebody's trying to spoof us

For those 'punks who can/will sign their messages, this would provide a simple
'reputation check' visible to all recipients. For others, postings would flow
through the system exactly like they do today, vulnerable to spoofs and so on.

My main concern is that we get a filter online that is secure but simple.
Programmers (myself included) will want to launch off and devise some 
horrendously complex PGP empire right away, but it would probably be smarter
to start small.

- -- 
........................................................................
Philippe D. Nave, Jr.   | The person who does not use message encryption
[email protected]   | will soon be at the mercy of those who DO...
Denver, Colorado USA    | PGP public key: by arrangement.

-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLTjTAwvlW1K2YdE1AQGEdAP8DY8KAK7EU9HkPxuuqMwApwTB7hMP+k1i
WGzHgq6RLQvHpZAbzywAbLvxVayzbPd+oCAfF8rSuf7NgFiz8TSqIDyMxM7dGh8Q
8KkEUbEyMQG4//M1Y0HrxhZXemq0a98umtAEQmyyFUFFuvrR95q5iJ1BtGqqF+oH
fNXp2UIqfIw=
=cXHA
-----END PGP SIGNATURE-----