An alternative suggestion (was Re: Hold on to your news servers)

Edward S. Marshall emarshal at logic.net
Sun Nov 15 20:29:11 UTC 1998


On Sun, 15 Nov 1998, Roeland M.J. Meyer wrote:
> Over the years UseNet has devolved from anarchy into chaos. IMHO, it can
> not evolve back.

Death of Usenet predicted. Film at 11.

I don't see things this way at all. There's one piece missing from Usenet:
accountability. While Karl's proposal addresses this (with binaries only,
unfortunately), it goes too far, and damages the right to privacy that
people expect, as well as presents far too many opportunities for leakage
to those who didn't ask for his cancels. (Karl, while you might think that
cancels are only advisory, they're not for most people; many news admins
simply set up INN out of the box, with cancels enabled, and never change
the defaults. This means that when your cancels leak, and they will,
administrators have to opt-out. Saying this is the fault of their peers is
merely petty buck-passing; it's the fault of -YOUR- peers.)

This is why I don't support Karl's proposal. Not because it is a
fundamentally bad idea or because I have a problem with him personally
(the latter of which has been seen far too much), but because it fails to
address the basic need for personal privacy in a public forum, and because
it fails to operate as a strictly opt-out mechanism.  Address that, while
still making it possible for law enforcement (with proper authorization)
to perform an investigation, and you'll have me aboard in a heartbeat.

Aside from the lack of authentication, as a medium, Usenet is alive and
well. The big 8 are managed in a clear, coherent manner (by a well-defined
voting procedure and authenticated mechanism for creation and retirement
of groups). What you seem to have a problem with is "alt", and other
hierarchies without any kind of growth control.

But, so as to avoid the "ok, what's your better idea, then" posts, here's
my suggestion. Instead of Karl's system, which places the burden of
signing on the customer, and eliminates their posting privacy, why not a
system like this:

- The system signs the message going out, not the individual. Thus, we
  know where the message came from (unlike with path headers, which can be
  forged), and it's much easier to get buy-in from server administrators
  than it is from the end-user. Especially when a system like this starts
  reaching critical mass; for a legitimate business providing Usenet
  service, buy-in is a no-brainer.

- Require DH/DSS keys instead of RSA, so that admins can use something
  like GPG instead of PGP so they aren't saddled with the cost of a server
  license on PGP, taking some burden off of the administrator, and makes
  sure that the central authority doesn't ever get nailed with needing
  to purchace the server licence. All modern versions of PGP support
  DH/DSS, so this restriction isn't a problem.

- Sign every local post, not just binaries. Why should we treat one post
  differently than others? Just as a binary post could be child porn, a
  text post could be slander or a copyright infringement.

- Issue batches of NoCeMs instead of cancels (using DH/DSS keys instead of
  RSA). This:
  - gives us a verification mechanism that the sender of the message
    really is the central signature-checking authority, and not someone
    trying to be annoying.
  - makes it possible to process them more efficiently (in batches as
    opposed to individually)
  - ensures that the system really is opt-in, instead of abusing the fact
    that many administrators leave cancels enabled by default, and making
    it a pseudo opt-out system.
  - allows the average person to take part in this, even if their news
    administrator doesn't, by using NoCeM for what it was originally
    designed for (as a personal filter).

With this, law enforcement knows where the message came from. Now, it's up
to the Usenet source to maintain some means of correllating a post to a
physical human being (ala NNTP authentication, or NNTP-Posting-Host with a
timestamp and login record). Any Usenet source with an abuse department
needs this infrastructure in place anyway. If you don't maintain this
correllating data, guess who's liable for the content posted?

I see this as a much better solution; it preserves the customer's privacy,
keeps the legal liability where it belongs (the originating system, and
the poster), and takes the burden off of the end user. To them, this is
completely invisible.

Comments welcome. Feel free to forward this to more appropriate forums if
you like the idea, and think others might.

-- 
Edward S. Marshall <emarshal at logic.net> />  Who would have thought that we  -o)
http://www.logic.net/~emarshal/        // would be freed from the Gates of  /\\
Linux Weenie, Open-Source Advocate    </    hell by a penguin named "Tux"? _\_v




More information about the NANOG mailing list