On Tue, 6 May 2003 20:50:50 -0400
Eric D Williams <eric(_at_)infobro(_dot_)com> wrote:
On Tuesday, May 06, 2003 7:50 PM, J C Lawrence [SMTP:claw(_at_)kanga(_dot_)nu]
wrote:
On Tue, 6 May 2003 12:10:21 -0700 (PDT) Michael Rubel
<asrg(_at_)mikerubel(_dot_)org> wrote:
Nope, there's nothing in there specific to RMX, RMX just prompted
some mental noodling which ended up with me doing some arm waving at
future attack vectors. RMX is broken for simpler reasons, which have
been well covered without my help.
Please explain. I do not think that your example has shown a flaw in
RMX.
<sigh> Please read what I wrote. Your question states that you haven't.
As I stated in my message on this point the attack scenario you
describe is a security concern primarily and a spam issue secondarily.
Quite.
In fact if a system is compromised spamming would be a minimal concern
as compared to eliminating the vulnerability.
Empirically, average homeowner desktop users do not have that view, not
even slightly.
Please give an example of how RMX is fundamentally broken. I have
heard that opinion several times today, could you provide an example
(especially since it is so trivial - I have not been able to come up
with one)?
Not my business, not my interest. This message represents almost an
order of magnitude greater investment in RMX than I have interest in it.
The list archives cover the ground quite effectively. If you don't read
them that way, that's up to you. We differ. Life will go on.
As you note, RMX would not help against this kind of attack, and
frankly neither would any other proposal I'm aware of. If I can
trick your machine into thinking I'm you, then I can do bad things
in your name and thus make you look bad.
Quite. As I noted at the time, this is a core problem with edge
authentication schema, and isn't necessarily resolvable.
I am not sure of what you are saying are you referring to systems
commonly known as user desktops? I did not recognize the attack
vector in your example or a description of what part of RMX introduced
a flaw/vulnerability into the compromised system.
Aiiieee! Please try reading a message as written. I have made no
specific comment about user desktops except as an example application of
the attack vector. User desktops, as a specific case are uninteresting.
There's nothing unique there. Just how many times do I have to write
that RMX is not particularly involved in that attack vector?
I submit that RMX gives a significant improvement, and it's just
simple/easy enough that people might start using it!
Deployment expenses with RMX are a significant problem, as are the
ROI curves related to percentage deployments and fundamental email
use costs. You can arm-wave technical solutions at them, but they
merely increase the deployment, support, and maintenance costs for a
negative ROI on the part of the deployer. You are attempting to
recreate top-down authority structures when the natural (and proper?)
tendency of the field in normal legitimate use is for
self-authenticating/identifying nodes, not external nomination
systems.
From where does this analysis stem.
Me.
Please cite examples of how you determined the deployment costs and
ROI on RMX. I am interested in reproducing your results for
validation.
Sorry, no. Simply, it is neither worth my time or yours. Arguments,
evaluations, and empirical evidence has been presented in the last weeks
which you have variously ignored, decreed as irrelevant, or labeled as
an acceptable cost. I've no interest in repeating that history when it
is so readily available in the archives. Not my job, not my investment,
not my interest.
Now, can we move on to digging out a proposal which has a chance of
being useful instead of beating dead horses?
I think it's still twitching.
Aye, sometimes the nerves take a bit longer to die.
--
J C Lawrence
---------(*) Satan, oscillate my metallic sonatas.
claw(_at_)kanga(_dot_)nu He lived as a devil, eh?
http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg