IETF Logo Mail Archive

Re: [Asrg] seeking comments on new RMX article

J C Lawrence <claw@kanga.nu> Wed, 07 May 2003 01:45 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA17138 for <asrg-archive@odin.ietf.org>; Tue, 6 May 2003 21:45:01 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h471rlH18155 for asrg-archive@odin.ietf.org; Tue, 6 May 2003 21:53:47 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h471rl818151 for <asrg-web-archive@optimus.ietf.org>; Tue, 6 May 2003 21:53:47 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA17118; Tue, 6 May 2003 21:44:31 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DE0y-0004LN-00; Tue, 06 May 2003 21:46:36 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19DE0y-0004LK-00; Tue, 06 May 2003 21:46:36 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h471q4818077; Tue, 6 May 2003 21:52:04 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h471pw818019 for <asrg@optimus.ietf.org>; Tue, 6 May 2003 21:51:58 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA17087 for <asrg@ietf.org>; Tue, 6 May 2003 21:42:42 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DDzE-0004KS-00 for asrg@ietf.org; Tue, 06 May 2003 21:44:48 -0400
Received: from ocker.kanga.nu ([198.144.204.213] helo=dingo.home.kanga.nu) by ietf-mx with esmtp (Exim 4.12) id 19DDzD-0004KP-00 for asrg@ietf.org; Tue, 06 May 2003 21:44:47 -0400
Received: from localhost ([127.0.0.1] helo=kanga.nu) by dingo.home.kanga.nu with esmtp (Exim 3.35 #1 (Debian)) id 19DDyV-0003vY-00; Tue, 06 May 2003 18:44:03 -0700
To: "Eric D. Williams" <eric@infobro.com>
cc: Michael Rubel <asrg@mikerubel.org>, "asrg@ietf.org" <asrg@ietf.org>
Subject: Re: [Asrg] seeking comments on new RMX article
In-Reply-To: Message from "Eric D. Williams" <eric@infobro.com> of "Tue, 06 May 2003 20:50:50 EDT." <01C31414.E0DB0F60.eric@infobro.com>
References: <01C31414.E0DB0F60.eric@infobro.com>
X-face: ?<YUs-cNP1\Oc-H>^_yw@fA`CEX&}--=*&XqXbF-oePvxaT4(kyt\nwM9]{]N!>b^K}-Mb9 YH%saz^>nq5usBlD"s{(.h'_w|U^3ldUq7wVZz$`u>MB(-4$f\a6Eu8.e=Pf\
X-image-url: http://www.kanga.nu/~claw/kanga.face.tiff
X-url: http://www.kanga.nu/~claw/
Message-ID: <15099.1052271843@kanga.nu>
From: J C Lawrence <claw@kanga.nu>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 06 May 2003 18:44:03 -0700

On Tue, 6 May 2003 20:50:50 -0400 
Eric D Williams <eric@infobro.com> wrote:
> On Tuesday, May 06, 2003 7:50 PM, J C Lawrence [SMTP:claw@kanga.nu]
> wrote:
>> On Tue, 6 May 2003 12:10:21 -0700 (PDT) Michael Rubel
>> <asrg@mikerubel.org> wrote:
 
>> Nope, there's nothing in there specific to RMX, RMX just prompted
>> some mental noodling which ended up with me doing some arm waving at
>> future attack vectors.  RMX is broken for simpler reasons, which have
>> been well covered without my help.

> Please explain.  I do not think that your example has shown a flaw in
> RMX.  

<sigh> Please read what I wrote.  Your question states that you haven't.

> As I stated in my message on this point the attack scenario you
> describe is a security concern primarily and a spam issue secondarily.

Quite.

> In fact if a system is compromised spamming would be a minimal concern
> as compared to eliminating the vulnerability.  

Empirically, average homeowner desktop users do not have that view, not
even slightly.

> Please give an example of how RMX is fundamentally broken. I have
> heard that opinion several times today, could you provide an example
> (especially since it is so trivial - I have not been able to come up
> with one)?

Not my business, not my interest.  This message represents almost an
order of magnitude greater investment in RMX than I have interest in it.
The list archives cover the ground quite effectively.  If you don't read
them that way, that's up to you.  We differ.  Life will go on.

>>> As you note, RMX would not help against this kind of attack, and 
>>> frankly neither would any other proposal I'm aware of.  If I can
>>> trick your machine into thinking I'm you, then I can do bad things
>>> in your name and thus make you look bad.
 
>> Quite.  As I noted at the time, this is a core problem with edge
>> authentication schema, and isn't necessarily resolvable.

> I am not sure of what you are saying are you referring to systems
> commonly known as user desktops?  I did not recognize the attack
> vector in your example or a description of what part of RMX introduced
> a flaw/vulnerability into the compromised system.

Aiiieee!  Please try reading a message as written.  I have made no
specific comment about user desktops except as an example application of
the attack vector.  User desktops, as a specific case are uninteresting.
There's nothing unique there.  Just how many times do I have to write
that RMX is not particularly involved in that attack vector?

>>> I submit that RMX gives a significant improvement, and it's just 
>>> simple/easy enough that people might start using it!
 
>> Deployment expenses with RMX are a significant problem, as are the
>> ROI curves related to percentage deployments and fundamental email
>> use costs.  You can arm-wave technical solutions at them, but they
>> merely increase the deployment, support, and maintenance costs for a
>> negative ROI on the part of the deployer.  You are attempting to
>> recreate top-down authority structures when the natural (and proper?) 
>> tendency of the field in normal legitimate use is for
>> self-authenticating/identifying nodes, not external nomination
>> systems.

> From where does this analysis stem.  

Me.

> Please cite examples of how you determined the deployment costs and
> ROI on RMX.  I am interested in reproducing your results for
> validation.

Sorry, no.  Simply, it is neither worth my time or yours.  Arguments,
evaluations, and empirical evidence has been presented in the last weeks
which you have variously ignored, decreed as irrelevant, or labeled as
an acceptable cost.  I've no interest in repeating that history when it
is so readily available in the archives.  Not my job, not my investment,
not my interest.

>> Now, can we move on to digging out a proposal which has a chance of
>> being useful instead of beating dead horses?

> I think it's still twitching.

Aye, sometimes the nerves take a bit longer to die.

-- 
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw@kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email