data request on Sitefinder

• Previous message (by thread): data request on Sitefinder
• Next message (by thread): data request on Sitefinder
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>On Mon, 20 Oct 2003 17:15:23 -0400 "Howard C. Berkowitz" 
><hcb at gettcomm.com> wrote:
>>  At 5:04 PM -0400 10/20/03, Richard Welty wrote:
>>  >may i suggest another operational issue then?
>
>>  >how does verisign plan to identify and notify all affected parties
>>  >when changes
>>  >are proposed?
>
>>  >for example, in the current case, how do they plan to identify every
>>  >party running
>>  >postfix and inform them that they need to upgrade their MTA?
>
>>  >this seems non-trivial to me.
>
>>  Purely from an operational standpoint, it would be a mark of
>>  efficiency to have a central repository of who is running what.  That
>>  would mean that notifications would only be sent to those that need
>>  them, and also would provide objective information to determine how
>>  many organizations would be affected by a change.  In other words,
>>  something that actually would be useful.
>
>i maintain that building this list is phenomenonally difficult. the set of
>people running mail servers is substantially larger than the set of
>people who read nanog, run backbones, run regional ISPs, etc., etc.

I don't really disagree with you, even ignoring that many providers 
would consider much of this information proprietary, much as they 
might for private peering arrangements. This is something of a 
thought experiment on what would have to be available for a Verisign 
or the like to make unilateral changes without presenting the idea 
for comment, well in advance.

The process of asking for comment through IETF and the operational 
forums has the proven benefit of getting major players to look at the 
issue and decide to comment.  Now, as you point out, there are many 
people who run mail servers and the like, who don't follow any 
relevant mailing lists.

I would suggest, however, that the number of people that do read 
these lists run mail servers with more end users than the small 
system administrators that do not.

The absence of a list such as I've described, the difficulty of 
creating of which you point out, makes it more unlikely to me that an 
organization can really assess the effects of unilateral design 
changes, especially when that assessment is shrouded in commercial 
secrecy.

>
>i don't disagree that it would be useful, but how are you going to
>build it without actively probing mail servers across the internet?
>and it can't possibly ever be complete, with PIX firewalls obscuring
>SMTP banners and sysadmins depending on security-by-obscurity
>who change their banners to elminate MTA identification.
>
>richard
>--
>Richard Welty                                         rwelty at averillpark.net
>Averill Park Networking                                         518-573-7592
>     Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security

• Previous message (by thread): data request on Sitefinder
• Next message (by thread): data request on Sitefinder
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]