ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Privacy and IETF Document Access (again)

2000-03-29 08:20:02
from [Tim Salo] [Permanent Link] 
I recently noticed that ftp.ietf.org requires the use of an e-mail
address (well, ok, something that looks like an e-mail address) as
a password for anonymous login. ...


I obviously wasn't particularly clear about my concerns in my original note.

I'm concerned that by asking for an e-mail address prior to permitting
access to documents, the IETF may be projecting a poor public image of the
organization and its its efforts to assure online privacy.  As an
organization, we pride ourselves on being more concerned than most about
privacy in a wired world.  But, our ftp configuration could be interpreted
as an indication that our actual data practices aren't much better than
anyone else's.

I suggest that the ftp.ietf.org configuration be changed to not ask for
nor check for an e-mail address for anonymous logins.  We might even
consider replacing the login message with a sentence indicating that
we don't think ftp servers should ask for e-mail addresses.

And, in response to the e-mail that resulted from my original note
(none of which addressed this issue, undoubtedly because I wasn't clear):

Yes, it is common practice since the beginning of recorded history to
ask for an e-mail address as a password for anonymous ftp access.  That
doesn't necessarily mean that this practice ought to be considered good
enough for the IETF's public image or that the IETF should endorse this
practice without thinking about it.

Yes, you can fake an e-mail address; that isn't the point.

Note, however, that while many ftp servers ask for an e-mail address
as a password, many (perhaps most) log the user in even if the password
string doesn't look like an e-mail address.  The IETF's ftp server,
however, refuses to log a person in if the password doesn't pass
minimal syntax tests.  (I'm not sure, but I think this behavior changed
"recently".  I thought the IETF ftp server used to accept anonymous users
in even if they typed garbage with no "@" as a password.  This belief,
perhaps mistaken, is what prompted my original note.)

No, I don't think this is a big privacy breach.  Rather, it is a matter
of projecting an appearance that the IETF takes network privacy seriously.

If the IETF doesn't take these minimal steps towards respecting online
privacy, how can we expect anyone else to?

-tjs
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How IP Packets are encapsulation in DS1 Signal, Andrew G. Malis
Next by Date:  Re: Privacy and IETF Document Access (again), William Allen Simpson
Previous by Thread:  SLP, Anshuman Sharma
Next by Thread:  Re: Privacy and IETF Document Access (again), William Allen Simpson
Indexes:  [Date] [Thread] [Top] [All Lists]