data request on Sitefinder

Mon Oct 20 20:58:03 UTC 2003

On 10/20/2003 at 16:31:45 -0400, Steven M. Bellovin said:
> 
> A number of people havce responded that they don't want to be forced to 
> pay for a change that will benefit Verisign.  That's a policy issue I'm 
> trying to avoid here.  I'm looking for pure technical answers -- how 
> much lead time do you need to make such changes safely?

  I think that the policy problem adds to the technical one.  If the
community were behind Sitefinder and supported Verisign's design
goals, it would be possible to hammer out everything in a short period
of time.  But because the hearts and minds of those who would make the
changes are not won, those responsible for implementing changes would
drag their feet, hoard necessary resources, and use the incomplete
state of their implementation as an obstacle to change and, should the
change happen anyway, use this "evidence" of Verisign's "bad behavior"
as an excuse to act openly against the service, on ways that have
already been demonstrated.  Thus, the human factor will make any
purely technical estimate useless.

  Sadly, I do not feel qualified to give a detailed estimate on your
question, as presented, which I find intriguing from a purely
theoretical point of view, except to say that there are always going
to be one-offs, unique builds, etc that willneed to be changed
individually, and even without the sour feeling towards Sitefinder,
there will be procrastination and compteting priorities.  This is not,
and never will be, the only thing that needs working on.  Even with
complete technical buy-in, I wouldn't expect the mass of users to be
covered by these changes until the middle of next year if work started
today.

-Dave