Hi
On Thu 30/Jan/2014 22:17:25 +0100 Alissa Cooper wrote:
On 1/30/14 10:52 AM, "Alessandro Vesely" <vesely(_at_)tana(_dot_)it> wrote:
On Wed 29/Jan/2014 17:16:56 +0100 IAB Chair wrote:
The document is available for inspection here:
https://datatracker.ietf.org/doc/draft-iab-filtering-considerations/
Albeit it purports to keep clear of (un)ethical considerations, the
document seems to be oriented toward government-imposed restrictions,
recounting how it would be better to move filtering to collaborative
endpoints rather than disrupting Internet operation, since bad actors
can circumvent filtering anyway. I fully agree, but I think that a
general purpose document on this subject might have touched on such
points as password management, user identification, and outbound port
Could you expand a bit about what you feel is missing as regards to
password management and user identification?
Blocking dictionary attacks is an obvious requirement for any server
endpoint. Perhaps that topic is not really /missing/, since it is so
obvious and apparently overworked. However, most of the applications
which log authentication failures don't support tracking the number of
failed attempts against a given password. Thus, policies blindly
require passwords to be changed after T days, irrespectively of the
entropy that a password had and the amount of it that could have been
eroded by failed attempts. So maybe that topic is not as overworked
as it may appear.
Upon authentication, a user-id qualifies an endpoint. Together with a
realm-id, it makes a global identifier. Email address confirmation
can be considered a kind of rendezvous service, which users can block
by discarding the request. The exchange of marketing profile data
between unscrupulous operators, often based on email addresses, is a
kind of abusive or objectionable communication. Disposable addresses
are an example of a mechanism to block that indirectly. They require
endpoint-based support at both ends, which is rather uncommon.
Thank you for your interest
Ale