John Gilmore writes:
It's already impossible to "finger" people at large companies to
discern their email addresses; and phone directories of most large
companies are not available. Some are concerned with having their
employees recruited by other companies; others want to impose a particular
chain-of-command on interactions with the outside world. (Then there's
the NSA, which won't even transfer you to a person even if you know their
name.)
Why would such companies or organizations make a publicly readable
X.500 database available that lists every employee's name, email
address, and public key?
While most "large corporations" do not like to publish their internal
employee telephone directories, it is common for to have switchboards that
redirect specific calls to direct dialin extensions. This reflects a
security policy which permits "almost exact match" searching of this
directory, without asking the purpose of the inquiry, while limiting the
rate of information retrieval. Such a function is necessary for the business
to function, not to mention present a friendly face to the world.
Note that "downsizing" companies are replacing the operator with voice
mail and automated call redirectors, and, in any case, there would be no
"opearator" to call for email.
The 1992 X.500 directory ACLs support limited "Scum Of The Earth" (i.e.,
unauthenticated) access, for example by allowing distinguished name access
only (and limiting the attributes and values that can be returned under such
circumstances). This isn't really as useful as it could be. I believe Steve
Kille
suggested a policy that would permit limited search in the sense that there
was a threshold on the amount of returned data SOTE could "net." Of course,
internal users, even if accessing the directory over external links, should
be able to authenticate and find people inside the organization that they
need to contact for legitimate business purposes.
X.500 supports chained access, something very nice for enforcing security
policy and limited external access. Finger is no substitute, not to mention
a potential security hole, even with a packet screening gateway, so it's not
surprising you can't do it.
-- Joe