RE: Privacy and IETF Document Access
-Original Message- From: Lloyd Wood [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 28, 2000 10:03 PM To: Robert G. Ferrell Cc: [EMAIL PROTECTED] Subject: Re: Privacy and IETF Document Access [...] which shouldn't be called 'anonymous', then. Just because it's a standard feature doesn't make it a good idea. Speaking of invasions of privacy, I can't find where in Navigator to set the anonymous ftp email password; looks like it's been inherently linked to mail identity. Building mail clients into web browsers has subtle privacy risks. L. For Netscape try: ftp:[EMAIL PROTECTED] resp.: ftp:[EMAIL PROTECTED]
Re: Privacy and IETF Document Access (again)
Normally, I'd view this as rather cranky, since many implementations have asked for this information for rather a long time. I usually access them with the generic user "ftp", not "anonymous". I long ago gave up an expectation of anonymity. I believe that the proper security technique is through an anonymizing service. Sites that I regularly visit even have a stated privacy policy saying: your access will be monitored, if you don't like this please leave. However, we should take warning from the recent clueless Boston judge that foolishly granted "accelerated discovery" of non-defendants in the CyberPatrol reverse engineering case, when the plaintiff asked for access logs of many sites. The IETF needs a formal privacy policy. I recommend that we remove the "anonymous" user, leaving only the "ftp" or "guest" users. I recommend that we change the login message to have an explicit privacy statement, saying that the required email response will be used only for network administration purposes, destroyed after 3 days, and never revealed to any third party. Such are the exigencies of interaction with the US courts Do we have a WG that could write this up as a BCP? Tim Salo wrote: I'm concerned that by asking for an e-mail address prior to permitting access to documents, the IETF may be projecting a poor public image of the organization and its its efforts to assure online privacy. As an organization, we pride ourselves on being more concerned than most about privacy in a wired world. But, our ftp configuration could be interpreted as an indication that our actual data practices aren't much better than anyone else's. [EMAIL PROTECTED] Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Re: Privacy and IETF Document Access (again)
From: Tim Salo [EMAIL PROTECTED] To: [EMAIL PROTECTED] I recently noticed that ftp.ietf.org requires the use of an e-mail address (well, ok, something that looks like an e-mail address) as a password for anonymous login. ... I obviously wasn't particularly clear about my concerns in my original note. I'm concerned that by asking for an e-mail address prior to permitting access to documents, the IETF may be projecting a poor public image of the organization and its its efforts to assure online privacy. [...] No, I don't think this is a big privacy breach. Rather, it is a matter of projecting an appearance that the IETF takes network privacy seriously. I am pragmatic. If the current string 331 Guest login ok, send your complete e-mail address as password. is replaced with 331 Guest login ok, send your complete e-mail address or "anon@invalid" as password. and 530-You must supply a valid email address as your password. 530-For example, "[EMAIL PROTECTED]" is okay. with 530-You should supply a valid email address as your password. 530-For example, "[EMAIL PROTECTED]" is okay, 530-but "anon@invalid" is accepted too. I think that privacy concerns would be correctly addressed. ciao, .mau.
Re: Privacy and IETF Document Access
[ From: [EMAIL PROTECTED] ][ Date: 08:42 (-0600), Mar 28, 2000 ] I recently noticed that ftp.ietf.org requires the use of an e-mail address (well, ok, something that looks like an e-mail address) as a password for anonymous login. (see sample below) I suggest that: o The IETF, consistent with its traditional concern about network privacy, disable this feature and allow anonymous access to documents without requiring an e-mail-like password, I do not think this is really a concern because the system will accept "[EMAIL PROTECTED]" as a valid password email as well. /amlan.
Re: Privacy and IETF Document Access
On Tue, 28 Mar 2000 [EMAIL PROTECTED] wrote: I do not think this is really a concern because the system will accept "[EMAIL PROTECTED]" as a valid password email as well. If it doesn't care whether the email address is valid, why does it insist that the invalid email address be in the format of an email address? The problem is not that it insists on a valid email address, but that it appears to do so. This lack of clarity serves no recognizable purpose. -=I would imagine that if 1000 Rwandan's were hacked to death AT THE EXPO, people would sure have raised a stink.=-
Re: Privacy and IETF Document Access
At 07:31 AM 3/28/00, [EMAIL PROTECTED] wrote:
I do not think this is really a concern because the system will
accept "[EMAIL PROTECTED]" as a valid password email as well.
A quick reminder here: Should you ever want to use a 'bogus' or or
'example' domain name, please use the domain name "example.com", which the
IANA has specifically reserved for this purpose. (Note, BTW, that the
domain name "fool.com" that you used as an example is actually a real
domain name used by someone else - "Motley Fool" in this case.)
This is something that I'm particularly sensitive to, because - for some
reason - lots of people like to use my domain name ("live.com") when
fabricating bogus email addresses - and as a result shitloads of spam ends
up coming my way.
Ross.
ps. I've found that most FTP servers will accept the string "guest@" in
addition to a fully-formed email address.
