3 by Greg Rose <ggr@usenix.org>
5 The aim of this software is to monitor the news
6 postings of moderators of USENET newsgroups, and to
7 automatically cancel forged messages purporting to
8 be approved. This can be extended to the approvals
9 of individual users to automatically cancel messages
10 that appear without having been authorised by the
11 user. This has (obviously) been prompted by the
12 recent spammings and other events.
14 This software and protocol is designed around
15 cryptographic signatures. The protocol is designed
16 to allow the use of different signature techniques.
17 This implemention assumes the use of PGP signatures,
18 but can be easily modified to use others, such as
19 the Digital Signature Standard. PGP was chosen for
20 its widespread availability around the world.
22 PGP, the crux of the cryptographic software, was
23 written by Phil Zimmermann <prz@acm.org>, who
24 otherwise has nothing to do with this. The
25 cryptographic framework was written by Greg Rose
26 <ggr@usenix.org>, as were the INN news system
35 How Do You Register For The Service?
36 Handling Multiple Moderated Groups:
37 Possible Problems We've Forseen:
39 Obtaining, installing, configuring:
40 It Really Wasn't That Hard.
47 This document is written from the point of view of
48 a newsgroup moderator, but individual users could
49 also use the facility in analagous ways.
51 When a moderator wants to protect their group from
52 forged/unapproved postings, they should register
53 their interest with one or more of the sites running
54 PGP Moose, and pick up the submission script. As
55 part of this process, the moderator would specify
56 one or more PGP public keys that are allowed to
59 When a post comes in, and the moderator wishes to
60 approve it, they do whatever they would normally
61 do before actually using inews (or whatever) to
62 post the message. As their last action, they run
63 the PGP Moose Approval program "pmapp". This
64 inserts a special header which
67 X-Auth: PGPMoose V1.0 PGP sci.crypt.research
68 iQBVAgUBL1/Kg2zWcw3p062JAQEYIgH/Xyrz6LaGG+fHaSxoexMECovzkIoADrQx
69 l73IXlUQEIoFl5jnDBBdHVvqTMEPS0118ytYVQZoQrdStuXB9Oc9gQ==
72 If there are multiple moderated newsgroups, there
73 might be multiple X-Auth: headers, one
74 for each group that has requested assistance from
75 the PGP Moose daemon. In this example you can
76 see that the authentication carries the name of
77 the authenticating program, a protocol version
78 number, an identifier of the type of digital
79 signature (currently only PGP) and the name of
80 the newsgroup in question. These, as well as the
81 From:, Subject: and Message-Id: lines, the list
82 of newsgroups, and the non-blank lines of the
83 message itself, are used as input to the PGP
84 program to generate a signature.
86 The lines of the message body are preprocessed in
87 a way that is meant to render harmless any mangling
88 that a typical news system might do to the article.
89 The article itself is not changed, only the input
90 to the signature generation. If a news system
91 subsequently mangles the article in a "norma" way,
92 for instance by inserting a ">" in front of a line
93 starting with "From", it will still pass the signature
96 The list of newsgroups must be handled specially,
97 so that an article posted to multiple moderated
98 controlled newsgroups can be appropriately
99 handled. See below for a more detailed treatment
100 of the issues of posting to multiple moderated
103 The PGP signature is then inserted into the
104 X-Auth: header, mostly so that it won't
105 interfere with, or be confused with, any signature
106 in the body of the message.
108 Anybody can check whether the message has been
109 modified in any significant way, simply by running
110 the PGP Moose Approval Checking program "pmcheck".
111 More importantly, though, the sites running the PGP
112 Moose Checking Daemon will be doing this automatically
113 for every posting to the registered newsgroups, or
114 from the registered users. And, if a posting fails
115 the checks, it may be automatically cancelled, and
116 a notification sent to the moderator. (Initially,
117 the automatic cancellation will be disabled, since
118 it is a pretty powerful sledgehammer, but that is
119 the intention anyway.)
121 This software is made freely available for just
122 about any purpose, but I've retained copyright so
123 as to keep some semblance of involvement. See the
124 last section of this file.
130 The approval and checking part of the PGP Moose
131 consists of a number of Bourne Shell scripts calling
132 standard Unix utilities and PGP. I could have used
133 perl more elegantly, but this stuff is marginally
134 more widely available. If there are Unix version
135 dependencies, they should be considered to be bugs
136 and I'll happily attempt to remove them.
138 pmapp usage: pmapp [newsgroup|user] [file]
140 This script takes the not-yet-posted
141 article, specified either by filename or
142 from standard input, and creates a
143 signature for it, which is then inserted
144 in the X-Auth: header. The article,
145 ready for posting, appears on the standard
148 In the configuration section at the top of
149 the script, the moderator may build in the
150 default name of the newsgroup or user, PGP
151 User Id to be used for the signature, and
152 the corresponding password. This is simply
153 for convenience, since spammers are not so
154 likely to go cracking the computer to get
155 the password, and it is a relatively simple
156 matter to generate a new user if it is,
157 indeed, compromised. For the paranoid, like
158 myself, if the password is not configured
159 into the script it is read from the terminal
162 pmcheck usage: pmcheck [newsgroup|user] [article]
164 This script takes the article, specified
165 either by filename or from standard
166 input, and checks that the
167 X-Auth: line is something it
168 considers to be correct and that the
169 article has not been tampered with.
170 Pmcheck returns successfully if
171 everything checks out. Otherwise it will
172 return failure and issue one of a number
173 of error messages, for example:
175 Posting for $NEWSGROUP not approved with PGP Moose.
176 Invalid designated signature from $GROUP
177 No public key for signature $GROUP
178 Signature doesn't match $FILE for $GROUP
179 '$SIG' not accepted for $GROUP.
181 Anybody can run pmcheck. It behaves slightly
182 differently depending on the existence of
183 a file called (by default)
184 PGP_Moose_accept, and the presence or
185 absence of a newsgroup or user argument.
186 This file, if it exists, should contain
187 lines with a newsgroup name or email address,
188 some whitespace, and the PGP User Id approved
189 by the moderator or user (usually made up
190 specifically for this purpose). Multiple
191 lines for the same newsgroup/user are allowed.
194 sci.crypt.research moderator <ggr@sydney.sterling.com>
195 sci.crypt.research moderator <pgut01@cs.auckland.ac.nz>
196 ggr@sydney.sterling.com Greg's News <ggr@sydney.sterling.com>
198 If such a file exists, and a specific
199 newsgroup or user is specified, pmcheck is silent
200 if all is well, and issues the last of the
201 error messages above if everything else
202 was all right but the signature was from
203 the wrong person. There must, in this
204 case, be a signature applying to the
205 designated newsgroup or user.
207 Without such a file, or if no specific
208 newsgroup or user is given, all the signatures
209 in the article are checked. In this case
210 it is not considered an error if the signature
211 cannot be checked due to a missing public
212 key. If each signature is otherwise valid
213 you will get a message like:
215 Valid signature from '$SIG'.
217 In any case, if there is a problem with a
218 signature mentioned in the PGP_Moose_accept
219 file, it will be reported and an error status
224 These two scripts are used by pmapp and
225 pmcheck to recreate the exact input for
226 the signature, and to extract the list of
227 newsgroups in the header, respectively.
228 More documentation is in their manual
231 The PGP Moose checking daemon is packaged
232 separately, as there would not seem to be a lot
233 of value in having too many people running it.
234 Accordingly, I was less precise in making it run
235 absolutely everywhere. It requires the Korn shell
236 or equivalent, and perl, and currently only
237 interfaces to INN. I expect it would be easy to
238 interface it to CNews, but I don't have one.
241 Runs pmcheck to check the X-Auth: header
242 for each controlled newsgroup for each
243 article that arrives in an appropriate
244 newsgroup. Mail is sent about any errant
245 articles, and automatic cancellation may
249 prepares a cancellation message based on
250 the headers of another message.
252 When (if) I get a chance, I will create mail
253 server scripts that allow moderators who are not
254 using Unix to use these facilities. The first
255 allows a moderator to mail a PGP signed copy of
256 the article to be posted. The server will then
257 verify that the moderator sent it, and post it
258 with a (different but corresponding) approval.
259 The second will accept an article and return
260 something that you can check the signature on.
261 Either way, any moderator will still need PGP.
264 How Do You Register For The Service?
265 ------------------------------------
267 Ahhh, this is the hard part. After all, it would
268 be pretty undesirable if someone, meaning well,
269 took any old body's word for it that some
270 important moderated group should start working
271 this way, before the moderator was able to start
272 approving postings. A great way to hijack a
273 newsgroup. Similarly for hijacking some other
274 user's postings (tempting though it might be :-).
276 Another possibility is that someone, having seen
277 what the valid signature looks like, simply
278 creates a whole new PGP key that happens to have
279 the same PGP User ID. Then they can sign and post
282 The solution to both of these problems is the
283 classical one for public key systems. You need
284 either a certifying authority or the PGP Web of
285 Trust. We're using the Web of Trust. If you don't
286 understand about PGP and the Web of Trust, go away
287 now and come back after you really do understand
290 For each newsgroup that wants to utilise this
291 program, the moderator will have to create a
292 special PGP key pair (preferably 512 bits to keep
293 the X-Auth: down to two full lines), and sign it. They
294 must then establish a path of trust to someone
295 who is running the PGP Moose server. It will be
296 up to the administrator of that server to make
297 sure that only trusted moderators' keys ever get
298 into the server's keyring.
300 THERE CAN BE NO SHORTCUTS TO THIS PROCEDURE.
301 Otherwise we are all back where we started.
303 In the case of an individual user, again you should
304 establish this verification path to one of the
305 administrators of the PGP Moose service. Contact
306 me (ggr@usenix.org) for the time
307 being to mutually figure out how to do this.
310 Handling Multiple Moderated Groups:
311 ----------------------------------
313 When I first proposed this tool, I was under the
314 impression that postings to multiple moderated
315 groups was an abberation that should be stamped
316 out. This turns out not to be the case, and
317 revisions to support this have been the cause of
318 some delay in the deployment of this tool.
320 When the news system sees that an article has been
321 posted to one or more moderated groups, it checks
322 for an Approved: header. If the header exists, the
323 article is accepted and processed normally,
324 otherwise it is mailed to the moderator of the
325 first moderated newsgroup mentioned in the
326 Newsgroups: header. There seem to be three cases of
329 The trivial case, and the most normal one, is
330 that there is only one moderated newsgroup
331 mentioned. The moderator approves the posting, and
334 The next, and probably most important, case, is
335 when a moderator wants to cross-post a FAQ to
336 their own group, as well as news.answers (for
337 example). In this case their approval counts for
338 both groups, so they can insert the Approved:
339 header and post away. Presumably the other groups
340 are not under the control of the PGP Moose Daemon.
341 In this case the moderator can just go ahead and
342 put in the Approved: header, and save themself
343 and pmapp a lot of time. It will be passed right
346 The other case is harder to get right. This is when
347 the article really is meant to be posted to two (or
348 more) unrelated moderated newsgroups. Now, if the
349 first moderated group's moderator approves the
350 posting, the other ones never hear about the article,
351 at all. If this second group is controlled by the
352 PGP Moose an automatic cancel will be generated. So
353 it becomes very important for the moderators to do
354 what they should have been doing already, namely
355 forward the article to the next moderator. This tool
356 can't help people who don't use it, but it provides
357 some support for those who do.
359 The approval script checks whether there are any
360 moderated newsgroups left that don't have
361 X-Auth: headers for them. If there are
362 none left, an Approved: header is inserted and the
363 article gets posted. Otherwise, it issues a warning,
364 and re-orders the newsgroups header with a newsgroup
365 which is moderated but has no X-Auth: line
366 at the start. When the article is posted, the news
367 system will forward it to the moderator of the (new)
368 first moderated group. If all moderators are sensible,
369 and check for moderated newsgroups in this fashion,
370 the mess should sort itself out and the last moderator
371 will go ahead and post it. A warning nessage to
372 the subsequent moderator NOT to change the
373 article is also inserted, since such a
374 modification would invalidate the previous
377 To ease this process, a second type of
378 X-Auth: header is supported. this has
381 X-Auth: None ... Newsgroup
383 The important fact about this is that
384 the newsgroup appears last on the line, allowing a
385 sort of partial approval, from moderators who
386 don't use the PGP Moose.
388 The Newsgroups: line is split into a sorted list
389 of newsgroups for the purpose of generating the
390 digital signature. Note that this means that once
391 an article has been approved and authenticated by
392 one moderator, it cannot be altered in any way by
393 a moderator of a subsequent group, including
394 altering the set of newsgroups mentioned in the
395 Newsgroups: header, the body of the posting, or
396 the other headers mentioned above.
399 Possible Problems We've Forseen:
400 --------------------------------
402 If an article is truly mangled e.g. by truncation, it
403 will fail the authentication and be cancelled.
404 Until it is demonstrated otherwise, this is
405 assumed to be a rare and minor problem. When a
406 cancel is issued, mail is sent to the moderator of
407 the group telling them, and they can tell us if it
408 becomes a problem. (In the initial deployment we
409 expect that no automatic cancels will actually be
410 generated, only the notification mail will be
413 Currently the signature produced is assumed to be
414 a PGP version 2.6 compatible one.
420 These scripts are implemented already, or as noted
421 above. They are undergoing beta testing and as soon
422 as they have settled they will be made available
423 via anonymous FTP and posting to comp.sources.misc
424 and sci.crypt.research and the moderators' list.
426 In the meantime, if you want to use the tools, or
427 particularly if you want to run a PGP Moose
428 checking daemon, contact me (ggr@usenix.org).
431 Obtaining, installing, configuring:
432 -----------------------------------
434 I regret that I don't have a public ftp site, but
435 I do have a web page where you can get a
436 compressed tar archive of the approval code. It is
437 <A HREF=http://www.usenix.org/~ggr/PGPMoose.html>
438 off my home page</A>.
440 It is hard to talk in detail about installation
441 and configuration, since many users are not in
442 charge of their own news server configuration. In
443 my case, I run all of the things out of a
444 subdirectory of my home directory. The only
445 thing outside this area which must be changed is
446 the INN newsfeeds file, if you are running the
447 checking daemon. So, get the distribution file as
448 above and unpack it whereever you want it to live.
450 There are configuration sections at the top of
451 pmcheck, pmapp and pmdaemon. I like to think that
452 they are relatively self-explanatory. One of the
453 harder decisions is whether to use a separate
454 keyring for PGP Moose applications or not. It is
455 very strongly recommended that you do, if you are
456 going to run the PGP Moose checking daemon, as
457 the keyring files will need to be readable by the
458 userid which INN runs under (usually "news").
459 Most of these options can also be overridden by
460 environment variables or command arguments, so it
461 is possible to leave the scripts unmodified and
462 simply put a wrapper around them (which is what I
465 In the case of pmapp, the newsgroup or user that
466 the authentication applies to can be specified on
467 the command itself; The PGP user id and password,
468 and the Approved: header's contents, can be
469 specified by environment variables PMUSER,
470 PMPASSWORD and APP, respectively.
472 For pmcheck, the important one is the name of the
473 configuration file specifying which signatures
474 are valid for which newsgroups or users.
476 Pmdaemon runs from INN, and needs some special
477 care to set it up. "news" needs access permission
478 to the directory and files for PGP Moose, and
479 also read permission on the public keyring. Note
480 that PGP creates keyrings with only owner
481 permissions. The search path is rarely correct,
482 and should be set at the top of the pmdaemon
483 script. There are also a number of file names and
484 mail addresses, but the comments should be clear
487 Lastly, you want to incorporate pmapp in your
488 moderation script and possibly your posting
489 script. In my case, the last line of my posting
490 script basically said
492 /usr/local/news/inews -S -h <tempfile
496 pmapp <tempfile | /usr/local/news/inews -S -h
498 To authenticate postings as an individual (as opposed
499 to a moderator) I had to take a copy of the
500 installed Pnews script, make sure it came earlier
501 on my search path than the normal one, and modify
502 that. You have to be careful that no extra
503 signature files get appended after the pmapp is
504 executed. Again, immediately before the "inews"
505 call is the right place. I'm not sure whether
506 this will work for all versions of news, this is
507 not really my field of competence.
510 It Really Wasn't That Hard.
511 ---------------------------
513 I wish people had put as much effort into doing
514 this as they did into clogging the Moderators'
515 mailing list. It wasn't hard.
517 But you know what was hard? What Phil Zimmermann
518 did creating PGP in the first place. Phil is in
519 serious legal hassles over PGP, and if you think
520 this effort saves you or your company some time
521 or money, I'd like you to consider donating some
522 of it to Phil's legal defence fund. Write to me
523 or Phil's lawyer Phil Dubois <dubois@acm.org>
524 regarding how to donate. You can do it over the
525 net using PGP! I probably also should thank the
526 many people who have worked hard to bring
527 encryption back out of the black chambers. Some
528 names which directly come to mind are Diffie,
529 Hellman, Merkle, Rivest, Shamir, Adelman, Lai,
530 Massey, and probably many others.
538 This software is copyrighted by Greg Rose, RoSecure
539 Software, and other parties. The following terms
540 apply to all files associated with the software
541 unless explicitly disclaimed in individual
544 The authors hereby grant permission to use, copy,
545 modify, distribute, and license this software and
546 its documentation for any purpose, provided that
547 existing copyright notices are retained in all
548 copies and that this notice is included verbatim
549 in any distributions. No written agreement,
550 license, or royalty fee is required for any of
551 the authorized uses. Modifications to this
552 software may be copyrighted by their authors and
553 need not follow the licensing terms described
554 here, provided that the new terms are clearly
555 indicated on the first page of each file where
558 IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE
559 LIABLE TO ANY PARTY FOR DIRECT, INDIRECT,
560 SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
561 ARISING OUT OF THE USE OF THIS SOFTWARE, ITS
562 DOCUMENTATION, OR ANY DERIVATIVES THEREOF, EVEN
563 IF THE AUTHORS HAVE BEEN ADVISED OF THE
564 POSSIBILITY OF SUCH DAMAGE.
566 THE AUTHORS AND DISTRIBUTORS SPECIFICALLY
567 DISCLAIM ANY WARRANTIES, INCLUDING, BUT NOT
568 LIMITED TO, THE IMPLIED WARRANTIES OF
569 MERCHANTABILITY, FITNESS FOR A PARTICULAR
570 PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE IS
571 PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND
572 DISTRIBUTORS HAVE NO OBLIGATION TO PROVIDE
573 MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
580 @(#)README 1.6 (PGPMoose) 95/10/21