[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Auto-Verifying of Sigs

To: [email protected]
Subject: Auto-Verifying of Sigs
From: "JEFF LICQUIA (CEI)" <[email protected]>
Date: Wed, 30 Nov 1994 15:57:08 CST
Organization: McKinley Health Center, University of Illin
Priority: normal
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----

Thinking about this requiring/checking sigs thing, I thought of 
something...

Really, the only "unknown" with signed messages is whether they are valid 
or not; it's pretty easy to distinguish the unsigned posts.  Furthermore, 
it seems to be my observation with verifying digsigs (as I do in 
non-crypto groups I subscribe to) that the vast majority of sigs will 
turn up OK.  It seems, therefore, that expending a lot of effort to 
change the current list to allow this would be wasteful considering the 
relatively few times that it would produce any useful information.

May I propose a "better" way (you be the judge here): Proxy the job.

Have a 'bot subscribe to the list (through whatever way), armed with a 
complete keyserver keyring.  Its only function is to check all signed 
messages from the list.  Unsigned messages, messages with sigs that 
checked OK, and messages signed with unknown keys would generate no 
response from the 'bot.  A failed sig, however, would cause the 'bot to 
send a (digitally signed, optionally) message to the list to the effect 
of "This message here didn't check OK" (complete with disclaimers and 
warnings about trusting authorities blindly).

This would be a totally automated way of checking sigs, and wouldn't 
involve any new code on the list's part.  Those who didn't want the 
intruding messages could killfile the 'bot, and the rest of us wouldn't 
be bothered with redundant information on every post.

What say ye all?  I can tentatively volunteer my business account to do 
the work (have to talk to my boss about it first, as that account has to 
pay for volume and phone time).  I'll play with some code in the meantime 
and see what I can come up with.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBLtz1EjER5KvPRd0NAQEx7gP+IlVoJG1YVXKmQViVCtabX1owrH2MHDBg
MpKBq7T6NbPMTDUWLE7HNWTfw5BvZbSCC1uRRM2rKV6xHZPxU0buUsoDc5QLT10b
xYbs9/j81dlTve7/fMToJjNJuls61289XaOIlfPN+sBIGX1TwrtDKek6To8GsdAN
YmkUYUUFzL8=
=3fF9
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Auto-Verifying of Sigs
  - From: [email protected] (L. Todd Masco)
- Re: Auto-Verifying of Sigs
  - From: [email protected] (Eric Hughes)

Prev by Date: Re: We are ALL guests (except Eric)
Next by Date: Re: Authentication at toad.com: WTF?
Prev by thread: Re: Authentication at toad.com: WTF?
Next by thread: Re: Auto-Verifying of Sigs
Index(es):
- Date
- Thread