Re: Requesting comments on draft-cheney-safe-02.txt
Hector Santos <hsantos@santronics.com> Sun, 09 August 2009 02:43 UTC
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n792hpwV090557 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 8 Aug 2009 19:43:51 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n792hpW1090556; Sat, 8 Aug 2009 19:43:51 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from winserver.com (ftp.catinthebox.net [208.247.131.9]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n792hnPj090549 for <ietf-smtp@imc.org>; Sat, 8 Aug 2009 19:43:50 -0700 (MST) (envelope-from hsantos@santronics.com)
Received: by winserver.com (Wildcat! SMTP Router v6.3.452.7) for ietf-smtp@imc.org; Sat, 08 Aug 2009 22:44:06 -0400
Received: from hdev1 ([99.3.147.93]) by winserver.com (Wildcat! SMTP v6.3.452.9) with ESMTP id 3034202687; Sat, 08 Aug 2009 22:44:05 -0400
Message-ID: <4A7E37DE.7080106@santronics.com>
Date: Sat, 08 Aug 2009 22:43:42 -0400
From: Hector Santos <hsantos@santronics.com>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: "Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil>
CC: Rich Kulawiec <rsk@gsp.org>, ietf-smtp@imc.org
Subject: Re: Requesting comments on draft-cheney-safe-02.txt
References: <f6fecbd18af7.4a721c99@us.army.mil> <4A720D35.1000306@cybernothing.org> <f6e091e580a6.4a7258af@us.army.mil> <20090807100147.GA16131@gsp.org> <f73e99651b6bb.4a7d3869@us.army.mil> <4A7D9E48.4010201@santronics.com> <f77ca8111ab99.4a7e1f62@us.army.mil>
In-Reply-To: <f77ca8111ab99.4a7e1f62@us.army.mil>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>
Cheney, Edward A SSG RES USAR USARC wrote: >> But what about market forces? > > You must be more specific. Are you suggesting negative impacts to a > commercial market will drive users to take more efforts to protect > themselves from vulnerabilities associated with technology? No, the opposite, the vendors are hiding the options (to disable) and are managing it themselves. Only the savy is capable of understanding what is possible. >> Do you realize we have a 15 year old that is among the decision >> makers in how FireFox and Javascript is evolving? > > By the way, JQuery founder and developer lead, John Resig, is 25. > JQuery is a framework of JavaScript, and so it must be considered no > less flawed than JavaScript from a security and deployment > consideration. My keyboad is flawed (not use to my new keyboard). :-) > >> What I have trouble seeing is how SMTP will help. > > The objective is to remove client-side scripting from a client-side > user-agent regardless of that user-agent being associated with email or > the web. Honestly I have been confused with your usage of the term "email." Are you concern with WEB-based EMAIL applications? Or in general web activity? > In my opinion people, generally, do not take security seriously. Today's generation don't even know they are suppose to. >> You are not going to stop DOM events, or even get people to consider >> not using it. So if that is a major part of SAFE, you already have a >> major road block in getting people interested in SAFE. > > I disagree. You honestly think the javascript 'prototype" API authors are going to get an act of conscious and ponder "You know, what I am doing is bad?" or the implementators are going to forgot using these methods? Microsoft just officially recently announced jQuery as a supported product for their .NET framework for client side "aura" enhancements. > From solely a business perspective security mitigation is > expensive. I believe if an alternative to such problems does exist that > there would be support for adoption from large organizations to curtail > security associated expenditures. Large volume organizations direct the > strategic course of software development more any other single markup > force. One of my employers is the United States military, which is one > of the largest employers on the planet. I have seen how all sizes of > software vendors have completely revised altered their product > strategies to prevent loss of contracts from this single client. We are a CCR contractor (and the feds use we what we have, its flexible) and in the past, was a military (sub) contractor and yuo kow what is done for the feds can be much different (requirements) than what was done for commercialization. Apples and Oranges really. I'm just giving my opinion - prohibiting DOM events is a major show stopper. People won't bother to read past the abstract or the first few pages (Why Bother?). Now that doesn't mean that some vendors are still considerate of WEB 1.0 and will offer product that work outside of javascript. But the trend is more WEB 2.0+ and you are seeing sites that won't a) function and display a notice or b) don't care to explain why its not working. Using parato's principle, 80% of the user market, today, won't have a clue about any of this. I said that because you are seeing very popular sites not function at all without javascript. I doubt they are going to alter their strategy for SAFE "Prohibitive NO-DOM Policy Mandates." >> Never mind the technical issues related to a SMTP callback system >> especially one that will be based on HTTP huge redundancy in HTTP >> requests. > > I did not understand this final statement. Could you please clarify > this for me? The SAFE model is based solely upon SMTP and references no > features of HTTP. Like I said, prohibiting DOM events is a show stopper for your SAFE proposal - for me, and I 100% believe others who's survival and/or product offering is based on DOM, will agreed. So nothing else matters. But considering SMTP, I think overall, what you are asking would be including a "major revamp" - lots of software changes, so therefore whenever there is big changes it opens the door to evaluating a better solution - like a optimized client/server handshaking protocol specifically for this purpose. In short, SMTP is not an optimal prootocol for this need. Maybe I say that because I can not AVOID the idea the DOM is prohibitive. This all sort of reminds me of the differences between (batch) job thinkers versus dynamic asynchrous UI thinkers - the latter is prevailing and can not be avoided. -- Sincerely Hector Santos http://www.santronics.com
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Peter J. Holzer
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Alessandro Vesely
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… J.D. Falk
- Requesting comments on draft-cheney-safe-02.txt Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Rich Kulawiec
- Re: Requesting comments on draft-cheney-safe-02.t… Rich Kulawiec
- Re: Requesting comments on draft-cheney-safe-02.t… Rich Kulawiec
- Re: Requesting comments on draft-cheney-safe-02.t… Steve Atkins
- Re: Requesting comments on draft-cheney-safe-02.t… Dave CROCKER
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: [AKO Warning - Message fails DKIM verificatio… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… John C Klensin
- Re: [AKO Warning - Message fails DKIM verificatio… Cheney, Edward A SSG RES USAR USARC
- Re: [AKO Warning - Message fails DKIM verificatio… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… John R Levine
- Re: [AKO Warning - Message fails DKIM verificatio… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Willie Gillespie
- Re: [AKO Warning - Message fails DKIM verificatio… John Levine
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: [AKO Warning - Message fails DKIM verificatio… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… J.D. Falk
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… John C Klensin
- Re: Requesting comments on draft-cheney-safe-02.t… Rich Kulawiec
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Robert A. Rosenberg
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Willie Gillespie
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Peter J. Holzer
- Re: Requesting comments on draft-cheney-safe-02.t… Steve Atkins
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Cheney, Edward A SSG RES USAR USARC
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… Hector Santos
- Re: Requesting comments on draft-cheney-safe-02.t… SM