On Wed, 23 Jan 2002 08:49:49 PST, Kyle Lussier <lussier(_at_)autonoc(_dot_)com>
No one wants to be bogged down with bureaucracy, but I don't
mind filling out an application, sending in $100, and getting
Things are always simple when things are working...
the logo. If I become a bad vendor, then people in an IETF
WG can move to yank my logo. There should be a process for
the "yanking" of the logo that is very fair, and arguably
should happen over a period of time, be pretty lenient
and give vendors more than ample time to "do the right thing."
On the other hand, all it takes is one large vendor who realizes that
it's cheaper to send one of their lawyers over to have a friendly chat
with you than to actually *fix* the problem...
You're also overlooking another problem - Installed User Base. Let's
make the assumption that Bill Gates was *serious* in the quotes last
week that Microsoft is dedicating itself to security. Now, let's even
assume that next week, Microsoft ships Outlook 2002 and IE 7, and that
both are completely and totally free of both security issues(*) and RFC
Compute how many years it will take before the current releases go away.
Hint - how many Windows95 boxes are *still* out there?
Remember Code Red and Nimda? Microsoft *HAD FIXED THOSE BOTH ALREADY*.
If a vendor *fixes* something and we get burned that bad, what makes you
think that yanking the right to use a logo will change anything?
(*) A case could be made that many Outlook/IE security issues are due
to violation of the MIME RFC's suggestion that the security model for
active content be very closely scrutinized. Unfortunately, RFC2046 says:
9. Security Considerations
Security issues are discussed in the context of the
"application/postscript" type, the "message/external-body" type, and
in RFC 2048. Implementors should pay special attention to the
security implications of any media types that can cause the remote
execution of any actions in the recipient's environment. In such
cases, the discussion of the "application/postscript" type may serve
as a model for considering other media types with remote execution
Not even an RFC2119 capitalized SHOULD. (Yes, I know it predates 2119 ;)
Description: PGP signature