Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: The images have been removed.

  • Subject: Re: The images have been removed.
  • From: Tim Smith <reply_in_group@xxxxxxxxxxxxxxxx>
  • Date: Tue, 20 Jun 2006 23:34:48 -0000
  • Newsgroups: comp.os.linux.advocacy
  • Organization: Institute of Lawsonomy, Department of Suction and Pressure
  • References: <1150754326.166840.18800@p79g2000cwp.googlegroups.com> <uc-dnbtygZeftgrZnZ2dnUVZ_v2dnZ2d@giganews.com> <2062333.rkN68hi3iL@schestowitz.com> <KSNlg.6539$Za5.3561@trnddc04>
  • User-agent: slrn/0.9.7.4 (OS/2 for ENIAC)
  • Xref: news.mcc.ac.uk comp.os.linux.advocacy:1121557
In article <KSNlg.6539$Za5.3561@trnddc04>, Mathew P. wrote:
> I think it's time to consider gpg signing of your messages. *

The problem with that is most people won't bother to get his key to verify
his signature.  Also, gpg signatures are kind of verbose.  Here's an outline
for a proposed system to combat such forgery, without the drawbacks.  I
don't have time to flesh out the details and implement this, so if someone
is looking for a fun, interesting, usenet-related project to do and make
open source, feel free to do this.

The basic idea is that I have no idea *who* Roy (to continue with him as the
example) is, so all I really care about is that when I see two posts that
both claim to be from Roy, they are from the same person.

Conceptually, that could be verified with a procedure like the following:

1. Roy generates a public key and private key.

2. Roy signs his posts with the private key.

3. Roy appends to his posts both the signature AND the public key.

On the receiving end, your newsreader would verify the signature, using the
attached public key.  That shows that the poster knew the private key for
that public key.

Your newsreader would keep a local database of the public keys it has seen.

When you get another post claiming to be from Roy, your newsreader would see
that it is using a public key you've already seen, and the signature
matches.

This could be done with gpg, but it would require not only the verbose
signature, but also the even more verbose public key, on every post.  Yuck!

What we need for this is a public key algorithm where we can comfortably
encode the key and the signature in two lines in the signature block.  That
gives us 144 characters, which, using base64, can encode 864 bits.

So, we need a public key algorithm where the public key, plus a signed hash
of a message, fit in 864 bits.

Once we have that, we'd then need plugins or mods or patches for the popular
newsreaders to recognize these signatures and maintain the local database,
and mark messages as verified or fraudulent.

Could be a fun project.

-- 
--Tim Smith

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index