ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: When spoofing is.

2004-03-19 11:58:53
from [Mark C. Langston] [Permanent Link] 

On Fri, Mar 19, 2004 at 10:25:10AM -0800, Hallam-Baker, Phillip wrote:


The issue is not the level of pain it is where it is felt. Is it going
to be felt by people who are likely to change? 


More importantly, is it going to be felt by people who are able to
change?  If our solution requires, for example, the use of certain MUA
features that may not be present in all deployed MUAs, the end-users may
be faced with a no-win situation:  They can't send mail using the MUA in
question, and they may not be able to change MUAs (again, I'll raise the
example of a cellphone MUA.  These are typically not end-user
upgradeable, and the cellphone providers seem somewhat slow in rolling
out new firmware which adds features.  This is further complicated by
the existence of phones which to not have the ability to receive
firmware updates via the cell radio, but instead require a trip to a
provider brick-and-mortar to get the firmware installed).

Certainly, the cellphone example is a bit of an extreme case, but it's
illustrative of the ease with which what seems an otherwise innocuous
change can have lasting impact on an entire class of end-users.



In this case the pain felt by postcard services does not seem very important
to me since they are not a constituency that is critical to the success
of the spec, the value of the information they send is generally considered
to be very very low and so there is little downside for the receivers. The
postcard services won't be able to exist unless they change, it is easy
for them to do so, therefore they will do it.


Value is a relative term.  The value of such a service may seem low to
you, but the value to the service users and providers is almost
certainly higher.  This is, I believe, one of the points Dave was trying
to make.  We need to be very careful about such assumptions.



In this particular case there is a very easy fix for the postcard sites,
they just use their own name, not a random name that someone entered
into a web form. they should have done that all along.



So, how should the recipient identify the entity that caused the card to
be sent, and how should the recipient reply to that entity?


-- 
Mark C. Langston                                    Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org                                       
mark(_at_)seti(_dot_)org
Systems & Network Admin                                SETI Institute
http://bitshift.org                               http://www.seti.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: when spoofing isn't, Mark C. Langston
Next by Date:  Re: when spoofing isn't, Yakov Shafranovich
Previous by Thread:  When spoofing is., Hallam-Baker, Phillip
Next by Thread:  Re: When spoofing is., Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]