One more reply on the list, then I suggest we take this private. Unless there
are specific points that directly affect PILC links.
> On Mon, 26 Nov 2001, Dan Grossman wrote:
>
> > There are other sites that don't but should. For example, several sites that
> > I use regularly do not use SSL for passwords. I've complained, but it's like
> > complaining to a brick wall. A particularly annoying one is a site which
> > partners with my (personal) ISP to allow me to tunnel email through HTTP and
> > HTML. No use of SSL at all, even for password. Lloyd suggests not using
> > them.
>
> see below.
>
> > I don't make it a point to cut off my nose to spite my face: there are
> > times when the alternative is no access to personal email at all.
> [..]
>
> so you've evaluated the risks and you judge them acceptable. as anyone
> else can do.
No, I judge them acceptable for some subnets but not others. So, for example,
I'll use webmail when hardwired or dialled in to the corporate Intranet.
Sparingly over an Ethernet at a hotel somewhere. But definitely not over the
802.11b subnet at IETF.
>
>
> > Perhaps one point that I've tried, but failed, to get across in this debate
> > has been that perfect security is obtained only by not trying to communicate.
>
> that was exactly the point I was making to you. If you know a site you
> use regularly is insecure, do not communicate with it... voila, you
> have achieved perfect security with respect to that site.
>
> Simple, no?
>
The point is not to let the quest for perfection be the enemy of the merely
good enough.
>
> > The challenge is to see to it that mechanisms are proportionate to the assets
> > being protected and the perceived threats to those assets.
>
> in the global commons of an internetworked environment, that statement
> becomes bunk. For example, an open mail relay does not pose much of a
> problem to colocated assets that it normally delivers mail to, but to
> everyone else on the planet as forged spam surges through it, even
> though everyone else's assets don't show up on your balance sheet.
>
> (unless, of course, you're treating intangibles like your reputation
> as assets, so being real-time-blackholed would be the perceived
> threat to be protected against.)
>
The bandwidth of the link is an asset, your (non)compliance with your ISP's
AUP is an asset...
>From a global perspective, the email architecture failed to take into account
that uncontrolled relays, lack of mandatory authentication and IP address
spoofing created an easily exploited vulnerability, and that there would be a
threat that unscrupuluous entrepreneurs would take advantage of "free"
anonymous email delivery.
Also, I wasn't there, but can easily imagine a conversation whose conclusion
was that since perfect security would be hard, they'd do no security at all
and get back to it "later".
> Remember that any shared link is a (privileged/limited/scope/local)
> commons; as an asset the link itself generally has little intrinsic
> value
I think that certain Operators who've recently broken the bank for 3G spectrum
might take issue with that :-)
> - it's merely an access mechanism - and the value of the asets
> on the local subnetwork is as nothing compared to the value of the
> internetwork as a whole.
>
> Claude Bastiat's "What is seen and not seen" is imo a far more
> perceptive and relevant take on the whole thing than a limited-scope
> military/commercial asset-protection doctrine, and has a far better
> sense of proportion.
Reference??
>
Again, this is getting off-topic and should be concluded privately.
> L.
>
> <L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>
Dan
This archive was generated by hypermail 2b29 : Mon Jan 28 2002 - 09:12:29 EST