--- Date: Tue, 3 Jun 2003 10:22:52 -0400 (EDT) From: "Christopher M. Arnold" cmarnold at applied-knowledge.net To: Declan McCullagh <declanat_private> Subject: comments on C-R email proposals In-Reply-To: <5.2.1.1.0.20030603010707.0422b108at_private> Declan-- I have enjoyed the debate on C-R systems these past weeks on the Politech list. I personally feel that the use of C-R methods for general email use completely lack foresight but not only for the reasons you have been reporting. Two concerns of mine will be difficult, if not impossible, to resolve however. 1. There is a small group of users in the world who prefer a non-GUI mail client. Pine, elm, mutt...what have you. The use of an embedded image as an authorization token will clearly not work here. Requiring the receiver to "click" on a link is only slightly less annoying with a non-GUI client. In many cases a mailing list was joined through email as opposed to filling out a web-based form but for some reason it becomes acceptable to attempt to force the recipients to use a non-mail-related protocol to leave the list, opt-out of whatever list they find themselves on or other like situations. Mind you, these are annoyances mainly. My primary concern is with security... 2. Firms often, and most certainly should, maintain IT-related security policies and guidelines. These are usually coupled with HR acceptable use policies, so on and so forth. The introduction of ad hoc C-R systems would more often than not either force a firm to modify its policies to accommodate them or risk dropping loads of legitimate mail. The use of RBLs at the MTA level could assist to some extent but I feel would quickly become an administrative nightmare. Additionally, many trojans, worms and viruses propagate through holes in certain popular mail clients. Individuals and enterprises alike can mitigate the risks associated with this vector of attack to some degree now but who's to say that C-R systems wouldn't create an entirely new set of problems to deal with as users randomly click more and more without thinking and vendors rush to add new features while adding new bugs? Whatever the case, thanks for the Politech list! If you happen to post this to the list would you please be kind enough to sanitize my email address in some way? Christopher Arnold, CISSP Founder Applied Knowledge Solutions Group ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. ------------------------------------------------------------------------- To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 03 2003 - 21:22:44 PDT