ietf-mxcomp
[Top] [All Lists]

Re: When spoofing is.

2004-03-19 12:28:00

Hallam-Baker, Phillip wrote:

Most of the problems involve perspective: The people who decide the
value of a trade-off -- that is, _us_ --


Actually the only people who get that choice are the people who write
the filters and the people who insert the records. We don't actually
have all that much influence unless they happen to like our trade offs.


So perhaps it would help if we can get feedback from those people directly. We need to get some realistic real world feedback on this kind of stuff, since we are working on assumptions here. Otherwise, if this is a case of "I said" and "you said", we need to be conservative since we simply don't know otherwise.


Internet technology has been easy to upgrade when it has paid very, very careful attention to protection of the installed base. It has been very difficult to upgrade when that attention has been insufficient.


The issue is not the level of pain it is where it is felt. Is it going
to be felt by people who are likely to change? Is it going to be
felt by a constituency essential for adoption?


We don't have that information. We are basing this discussion on our assumptions, so unless we clearly have information to point us, like Dave said we should try to be conservative.

In this case the pain felt by postcard services does not seem very important
to me since they are not a constituency that is critical to the success
of the spec, the value of the information they send is generally considered
to be very very low and so there is little downside for the receivers. The
postcard services won't be able to exist unless they change, it is easy
for them to do so, therefore they will do it.


I am not sure if American Greetings and their customers will agree with you. The players that are actually ones who will implement this and change are not present here - they need to be informed and engaged, because I can bet you that we don't even realize half of the issues involved with this, that those companies can point out to us. Otherwise, I would stick with the smallest changes possible.

I think that the layout of the draft should be:

...
        Other authentication information
                STARTTLS always offered
                S/MIME always used
                Certificate validation
        Other server attributes
                Accreditation
                Frequent phishing target

This is generic policy stuff - we don't want to get into that. It is a much bigger can of worms than you think.

Yakov


<Prev in Thread] Current Thread [Next in Thread>