Document: FSC-0055
Version:  001
Revision: 31-Mar-1991




             Security Passwords in Nodelist Update Files

                             Luke Kolin,
               1:250/714@fidonet.org, 89:480/210@imex

                          March 31st, 1991


    Status of this document:

         This FSC suggests a proposed protocol for the FidoNet(r)
	 community,  and requests discussion and suggestions for
	 improvements.  Distribution of this document is subject
	 to the restrictions listed below.

         Fido and FidoNet are registered marks of Tom Jennings
         and Fido Software.

         The author grants the FTSC unlimited  distribution and
         reproduction rights  in order to facilitate discussion
         of the proposals in this document.

         MakeNL is a program by Ben Baker.

         SysNL is a program by Luke Kolin.



  PURPOSE

	This document is intended to explain the format and purpose of
  security passwords within nodelist update files, and to inform the
  authors of nodelist software about its proper usage.


  THE NEED FOR PASSWORDS

	Until now, the nodelist update files that *Cs create with software
  packages such as MakeNL or SysNL have had no security passwords inside
  of them. The only security between the NC and an RC has been the name
  of the update file itself. For example, the name of the Net 250 update
  file was "Metronet.250". It was quite conceivable for a sysop, upon
  discovering this name, to make a fraudulent update file, also called
  "MetroNet.250", and send this to 1:12/0. The nodelist processor which
  created the regional update file at that end would not know that the
  file was not genuine, and this would be added to the weekly update for
  the region.


  PASSWORD FORMAT

	It seems emminently logical that some sort of security password
  should be added to nodelist update files, to prevent the aforementioned
  problems from occurring. Therefore, I propose that nodelist update files
  have an optional password in the first (header) line, right after the
  ";A" general interest flag. The first character of this case-sensitive
  password shall be an "at" sign @ (ASCII decimal 64 hex 40). If this
  character is present, then all characters after it, until (but not
  including) the next space (ASCII decimal 32 hex 20) will be considered
  part of the password. As well, no password may be 8 characters or more
  in length. This is a sample header line, with a password of ConSoft
  present:

  ;A @ConSoft Net 250 nodelist file for Friday, February 22nd : 10344

	Please note the password starts right after the first space (ASCII 
  32) with the ASCII 64 decimal character, and is case-sensitive. The
  following is a sample header, without a password present:

  ;A Net 250 nodelist file for Friday, March 1st : 13501


  NOTES

	It is extremely important that the password be on the first line
  of the nodelist update file. It must commence immediately after the first
  space (ASCII 32) character, with an ASCII 64 "at" sign. Remember, it is
  case-sensitive.

	I believe that it is up to the authors of individual nodelist
  utilities to deal with the presence of passworded update files as they
  believe fit. However, it is my belief that utilities, when faced with
  a file with a bad password, retain a copy of a previous (good) update
  file, which should be used instead of the bad one, to prevent the equally
  nasty problem of a bad update file preventing an entire network/region
  from being included.

	Please note that I do not participate in either the FTSC or NET_DEV
  conferences. I can be reached at 1:250/714@fidonet.org, or in Imex at
  89:480/210@imex.