On Wed, 23 Jan 2002 08:49:49 PST, Kyle Lussier <[EMAIL PROTECTED]> said:
> No one wants to be bogged down with bureaucracy, but I don't > mind filling out an application, sending in $100, and getting Things are always simple when things are working... > the logo. If I become a bad vendor, then people in an IETF > WG can move to yank my logo. There should be a process for > the "yanking" of the logo that is very fair, and arguably > should happen over a period of time, be pretty lenient > and give vendors more than ample time to "do the right thing." On the other hand, all it takes is one large vendor who realizes that it's cheaper to send one of their lawyers over to have a friendly chat with you than to actually *fix* the problem... You're also overlooking another problem - Installed User Base. Let's make the assumption that Bill Gates was *serious* in the quotes last week that Microsoft is dedicating itself to security. Now, let's even assume that next week, Microsoft ships Outlook 2002 and IE 7, and that both are completely and totally free of both security issues(*) and RFC violations. Compute how many years it will take before the current releases go away. Hint - how many Windows95 boxes are *still* out there? Remember Code Red and Nimda? Microsoft *HAD FIXED THOSE BOTH ALREADY*. If a vendor *fixes* something and we get burned that bad, what makes you think that yanking the right to use a logo will change anything? /Valdis (*) A case could be made that many Outlook/IE security issues are due to violation of the MIME RFC's suggestion that the security model for active content be very closely scrutinized. Unfortunately, RFC2046 says: 9. Security Considerations Security issues are discussed in the context of the "application/postscript" type, the "message/external-body" type, and in RFC 2048. Implementors should pay special attention to the security implications of any media types that can cause the remote execution of any actions in the recipient's environment. In such cases, the discussion of the "application/postscript" type may serve as a model for considering other media types with remote execution capabilities. Not even an RFC2119 capitalized SHOULD. (Yes, I know it predates 2119 ;)
msg07324/pgp00000.pgp
Description: PGP signature
