ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Fwd: Re: IP: Microsoft breaks Mime specification

2002-01-23 12:30:02
from [Valdis . Kletnieks] [Permanent Link] 
On Wed, 23 Jan 2002 08:49:49 PST, Kyle Lussier <lussier(_at_)autonoc(_dot_)com> 
 said:


No one wants to be bogged down with bureaucracy, but I don't
mind filling out an application, sending in $100, and getting


Things are always simple when things are working...


the logo.  If I become a bad vendor, then people in an IETF
WG can move to yank my logo.  There should be a process for
the "yanking" of the logo that is very fair, and arguably
should happen over a period of time, be pretty lenient
and give vendors more than ample time to "do the right thing."


On the other hand, all it takes is one large vendor who realizes that
it's cheaper to send one of their lawyers over to have a friendly chat
with you than to actually *fix* the problem...

You're also overlooking another problem - Installed User Base.  Let's
make the assumption that Bill Gates was *serious* in the quotes last
week that Microsoft is dedicating itself to security.  Now, let's even
assume that next week, Microsoft ships Outlook 2002 and IE 7, and that
both are completely and totally free of both security issues(*) and RFC
violations.

Compute how many years it will take before the current releases go away.
Hint - how many Windows95 boxes are *still* out there?

Remember Code Red and Nimda? Microsoft *HAD FIXED THOSE BOTH ALREADY*.
If a vendor *fixes* something and we get burned that bad, what makes you
think that yanking the right to use a logo will change anything?

/Valdis

(*) A case could be made that many Outlook/IE security issues are due
to violation of the MIME RFC's suggestion that the security model for
active content be very closely scrutinized.  Unfortunately, RFC2046 says:

9.  Security Considerations

   Security issues are discussed in the context of the
   "application/postscript" type, the "message/external-body" type, and
   in RFC 2048.  Implementors should pay special attention to the
   security implications of any media types that can cause the remote
   execution of any actions in the recipient's environment.  In such
   cases, the discussion of the "application/postscript" type may serve
   as a model for considering other media types with remote execution
   capabilities.

Not even an RFC2119 capitalized SHOULD. (Yes, I know it predates 2119 ;)

Attachment: pgpA01hDsDgd3.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: how to fail to solve a problem, Ed Gerck
Next by Date:  Re: Fwd: Re: IP: Microsoft breaks Mime specification, Valdis . Kletnieks
Previous by Thread:  Re: Fwd: Re: IP: Microsoft breaks Mime specification, Kyle Lussier
Next by Thread:  Re: Fwd: Re: IP: Microsoft breaks Mime specification, Ian Cooper
Indexes:  [Date] [Thread] [Top] [All Lists]