[18985] in bugtraq
Defending the (supposedly) indefensible...
daemon@ATHENA.MIT.EDU (Raju Mathur)
Sat Feb 3 18:37:42 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14972.9813.695592.505397@localhost.localdomain>
Date: Sat, 3 Feb 2001 21:10:05 +0530
Reply-To: raju@linux-delhi.org
From: Raju Mathur <raju@linux-delhi.org>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010202141458.A15604@greymouser.com>
>>>>> "Phil" == Phil Scarr <prscarr@GREYMOUSER.COM> writes:
Phil> [snip]
Phil> While there has been a lot of hyperbole strewn about on this
Phil> topic, I figured I'd go out on a very long, slender limb and
Phil> agree with the stated purpose of this new
Phil> conspiracy/cabal/clique/whatever.
Phil> I agree that TLDs should have early access to security
Phil> related issues. I can also make the same argument for
Phil> vendors who ship bind as part of their offerings, especially
Phil> OS vendors like Sun, HP and IBM.
It is unlikely that anyone would quibble with that point. To me, the
scary part is that so much power rests in the hand of one single
organisation (or even one single person). ISC and Paul Vixie decide
unilaterally who gets to join the BMG for money, who gets to join it
for free, and who doesn't get to join it. I'm no Microsoft lover, but
what if ISC decides that MS doesn't get to be part of the BMG (BIND
doesn't ship with Windows by default, does it?)? Does that mean that
all the Hotmail nameservers are vulnerable to new named exploits until
the BMG decides to release a patch? How does ISC decide which Linux
vendors can be given free participation in the BMG, which have to pay,
and which aren't eligible at all? Will I automatically get free
membership of the BMG If I make my own Hindi Linux distribution for
use in North India and get 3 people to use it? How about an Iraqi
Linux distribution (Iraq is prohibited from downloading strong
cryptography from most countries and thus cannot easily conform to the
S/MIME/PGP requirement)?
I'd strongly urge Paul Vixie and the BMG to have a coherent membership
policy answering these questions before thay take any further steps
and make any more announcements regarding the BMG. A clear-cut,
coherent public membership policy would go a long way towards
alleviating the concern that the announcement has created in the
security and Internet communities. The policy will also enable
developers and other concerned people to decide whether ISC BIND and
the BMG are sufficiently open to prevent a fork of the source or not.
Phil> [more snip]
Regards,
-- Raju
--
Raju Mathur raju@kandalaya.org http://kandalaya.org/
