[rfc-i] Pre-IETF RFCs to Historic (not really proposing)

Dave CROCKER dhc at dcrocker.net
Tue Sep 20 08:46:43 PDT 2011


On 9/18/2011 4:09 PM, Joe Touch wrote:
> 1) a spammer now knows the future email address of all RFC authors without
> doing the work of scraping the  RFC text

Similar to the way spammers can 'know' addresses by using IETF mailing lists.

In other words, you have indeed probably identified an attack vector that is
theoretically possible.

However both history and current realities make it not a significant issue.  As
I've noted, an equivalent attack vector has not been explored (much) in the past
few decades.  In terms of current realities, as John Levine notes, this kind of
attack simply isn't in the style or scale of real-world spammers.

> The IETF configures email lists to "hide" email addresses in ways that a
> scrape could get (touch at isi.edu, vs. touch at isi.edu). If that's valuable to
> subscribers, as is hiding the full list of subscribers, then clearly not
> making these aliases available is in the same spirit.

It isn't valuable to subscribers.  The hiding mechanism is not effective.

>> Whether you can foil that process depends upon the operational policies of
>> the updating organization. In the case of the IETF and/or RFC-Editor, it
>> seems more than a little likely that they would be responsive to an
>> individual's desire. As of now, I believe they are not doing updating
>> automatically (whatever that means) nor has the basis for updating been
>> discussed in the proposal for a role address.
> That was what was proposed, and that's the part I am concerned about.

Rather than such a vigorous attack on this entire idea, it would be more helpful 
to contribute to the functional spec for the updating process, to ensure 
adequate convenience and 'protection'.


   Dave Crocker
   Brandenburg InternetWorking

More information about the rfc-interest mailing list