XPost: alt.fan.usenet   
   From: jfairchild@tudado.org   
      
   Rich  writes:   
      
   > In comp.misc Johanne Fairchild  wrote:   
   >> Richard Kettlewell  writes:   
   >>   
   >>>> Just a thought experiment:   
   >>>> if you could/had to make something like a NNTP 2.0 (with no need for   
   >>>> backwards compatibility) and server and client software for it today, what   
   >>>> would it be like?   
   >>>> In terms of specifications, technologies used, user interface, etc.   
   >>   
   >> [...]   
   >>   
   >>>   * All messages signed by author and originating server (supporting   
   >>>     reputation management)   
   >>   
   >> Can you elaborate on this?  You'd like to bind each message to the   
   >> author-public-key and his NNTP server?  So that everyone who he is and   
   >> which server he used?  (Can you give an example of how you'd do that?)   
   >   
   > One possibility (which would inherit most if not all of the pgp/gpg   
   > 'key' distribution problem):   
   >   
   > 1) each user generates a gpg key pair they use for 'usenet2' posts.   
   >   
   > 2) user uploads public key to some "central source" for others to   
   >    retreive from [1] for 'validation' purposes.   
   >   
   > 3) user installs private half of key in their client software   
   >   
   > 4) for each post, user's client software 'signs' the message using the   
   > private key, inserting the 'signature' into appropriate message   
   > 'headers' (note, there's a lot left unstated here, I'm spitballing, not   
   > protocol designing).   
   >   
   > 5) each server also performs step 1 but there may not need to be a step   
   > 2 for a server /if/ the collective set of servers are the 'central'   
   > storage of keys and the protocol has a way to supply a public key for   
   > 'server/user X' on demand.   
   >   
   > 6) for each post, from any user of serverX, serverX further signs the   
   > message using the serverX private key and inserts the appropriate   
   > message headers containing the "server signature" (note that here one   
   > most likely wants this server sig.  to cover [and thus authenticate]   
   > the user signature headers of the message).   
   >   
   > The result, is that a recipient, should they choose to do so, can   
   > verify that any given message was signed by serverX using the serverX   
   > public key, and can further verify that the messge was signed by userX   
   > of serverX via the userX of serverX public key.   
   >   
   >   
   > [1] Do note that the 'central source' could be the collective set of   
   > 'usenet2' servers, provided there was a way to request the 'key' of   
   > user 'X' from server 'Y'.  In which case #2 is "uploads public key to   
   > their 'usenet2' server.   
      
   Thanks.   
      
   I have not thought even five minutes on this, but it seems complicated.   
   A large NNTP server should be time-resilient, so, for example, to   
   eternally be able to verify signatures, we need to keep all used public   
   keys always available.  Archiving, as we know, is not an easy task.   
      
   When I think of a user's network, I think of a kind of mailing lists via   
   NNTP, but not like Gmane.  I subscribe myself to a group in a server by   
   getting an authorization from the server (for that group specifically).   
   I register that authorization in my client.  Now I can post to that   
   group.  Without an authorization, I'd only be able to read it.  Other   
   servers can easily host that group for reading.  Servers connected to   
   these other servers could not post to that group---only read it.  If a   
   client is external (that is, connected to these other servers) would   
   ever like to post, the author would write his post and the client would   
   directly connect to the group's original server, authenticate itself,   
   and then post.   
      
   In other words, let's not share responsibility.  Each server controls   
   its groups---and lets others easily read it, archive it, disseminate   
   it.  This way experts can have their own turf, let the world see their   
   discussion without disturbing them.   
      
   How is membership controlled in the Linux kernel mailing list (for   
   example)?  I don't know.  I'd think someone must approve new members.   
   I'd like to keep an eye on those discussions via NNTP, but it seems I   
   cannot easily do that.  Surely someone is archiving that in an NNTP   
   server somewhere.  I'm on Eternal September.  It should be an easy   
   matter for me; if it is not, then I think that's an opportunity for new   
   work.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)