RE: IM and Presence history

To: "Steven M. Bellovin" <smb at cs.columbia.edu>, <dcrocker at bbiw.net>
Subject: RE: IM and Presence history
From: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Date: Wed, 29 Nov 2006 17:07:06 -0800
Cc: Harald Alvestrand <harald at alvestrand.no>, ietf at ietf.org
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
Thread-index: AccUFe7j9idy07ikTKmVWeX0mda8ygABRVig
Thread-topic: IM and Presence history

I absolutely agree with Steve here, but I think that the problem here is too little integration, not too much. I don't think that this security through obscurity scales very well.

There needs to be a gatekeeper. If someone wants to schedule a call with me, fine, just drop me a note first so I can tell my system to accept it. Oh and if you want to send more than a few lines in the note you will have to be on the approvals list.

CEOs and Paris Hilton already have these security measures in place.


I think that a good technical bar to set here is that a 'one address' system must be secure enough against unwanted contact that Paris Hilton can use it and post the same contact address on her Web site as Britney Spears would use to contact her.

If you are known directly or a friend of a trusted friend you get in, otherwise you get a lower level of communication, the bottom rank being directed to the Paris Hilton fan club.


> -----Original Message-----
> From: Steven M. Bellovin [mailto:smb at cs.columbia.edu] 
> Sent: Wednesday, November 29, 2006 7:23 PM
> To: dcrocker at bbiw.net
> Cc: Harald Alvestrand; ietf at ietf.org
> Subject: Re: IM and Presence history
> 
> On Wed, 29 Nov 2006 10:33:15 -0800
> Dave Crocker <dhc2 at dcrocker.net> wrote:
> 
> 
> > 
> >       The underlying specifications permit you to have different 
> > addresses, for different services.  They also permit you to have the
> > *same* address.
> > 
> This is only a good idea if coupled with a powerful, 
> easy-to-use interface that restricts presence visibility.  
> Many more people have my email address than my IM addresses; 
> I'm also very careful about who gets my mobile phone number.  
> Why?  Because IM communication and phone calls interrupt me 
> in a way that email does not.  In fact, I take advantage of 
> email to avoid giving out the other informationFrom ietf-bounces at ietf.org Wed Nov 29 20:08:42 2006
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
	by megatron.ietf.org with esmtp (Exim 4.43)
	id 1GpaOX-00089s-Kl; Wed, 29 Nov 2006 20:07:21 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
	by megatron.ietf.org with esmtp (Exim 4.43) id 1GpaOV-00089n-Ld
	for ietf at ietf.org; Wed, 29 Nov 2006 20:07:19 -0500
Received: from robin.verisign.com ([65.205.251.75])
	by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GpaOU-0006qX-8B
	for ietf at ietf.org; Wed, 29 Nov 2006 20:07:19 -0500
Received: from mou1wnexcn01.vcorp.ad.vrsn.com (mailer1.verisign.com
	[65.205.251.34])
	by robin.verisign.com (8.13.6/8.13.4) with ESMTP id kAU179cq016433;
	Wed, 29 Nov 2006 17:07:09 -0800
Received: from MOU1WNEXMB04.vcorp.ad.vrsn.com ([10.25.13.157]) by
	mou1wnexcn01.vcorp.ad.vrsn.com with Microsoft
	SMTPSVC(6.0.3790.1830); Wed, 29 Nov 2006 17:07:09 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 29 Nov 2006 17:07:06 -0800
Message-ID: <198A730C2044DE4A96749D13E167AD37E7E957 at MOU1WNEXMB04.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: IM and Presence history
Thread-Index: AccUFe7j9idy07ikTKmVWeX0mda8ygABRVig
From: "Hallam-Baker, Phillip" <pbaker at verisign.com>
To: "Steven M. Bellovin" <smb at cs.columbia.edu>, <dcrocker at bbiw.net>
X-OriginalArrivalTime: 30 Nov 2006 01:07:09.0259 (UTC)
	FILETIME=[DC1821B0:01C7141B]
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: Harald Alvestrand <harald at alvestrand.no>, ietf at ietf.org
Subject: RE: IM and Presence history
X-BeenThere: ietf at ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>,
	<mailto:ietf-request at ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf at ietf.org>
List-Help: <mailto:ietf-request at ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>,
	<mailto:ietf-request at ietf.org?subject=subscribe>
Errors-To: ietf-bounces at ietf.org

I absolutely agree with Steve here, but I think that the problem here is too little integration, not too much. I don't think that this security through obscurity scales very well.

There needs to be a gatekeeper. If someone wants to schedule a call with me, fine, just drop me a note first so I can tell my system to accept it. Oh and if you want to send more than a few lines in the note you will have to be on the approvals list.

CEOs and Paris Hilton already have these security measures in place.


I think that a good technical bar to set here is that a 'one address' system must be secure enough against unwanted contact that Paris Hilton can use it and post the same contact address on her Web site as Britney Spears would use to contact her.

If you are known directly or a friend of a trusted friend you get in, otherwise you get a lower level of communication, the bottom rank being directed to the Paris Hilton fan club.


> -----Original Message-----
> From: Steven M. Bellovin [mailto:smb at cs.columbia.edu] 
> Sent: Wednesday, November 29, 2006 7:23 PM
> To: dcrocker at bbiw.net
> Cc: Harald Alvestrand; ietf at ietf.org
> Subject: Re: IM and Presence history
> 
> On Wed, 29 Nov 2006 10:33:15 -0800
> Dave Crocker <dhc2 at dcrocker.net> wrote:
> 
> 
> > 
> >       The underlying specifications permit you to have different 
> > addresses, for different services.  They also permit you to have the
> > *same* address.
> > 
> This is only a good idea if coupled with a powerful, 
> easy-to-use interface that restricts presence visibility.  
> Many more people have my email address than my IM addresses; 
> I'm also very careful about who gets my mobile phone number.  
> Why?  Because IM communication and phone calls interrupt me 
> in a way that email does not.  In fact, I take advantage of 
> email to avoid giving out the other information promiscuously 
> -- I tell people who perceive an urgent need to reach me to 
> email page-smb at the appropriate domain; this address is 
> translated to both SMS and a direct email message.
> 
> 
> 
> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb
> 
> _______________________________________________
> Ietf mailing list
> Ietf at ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf
> 
> 

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Prev by Date: Re: DNS Choices
Next by Date: RE: Something better than DNS?
Previous by thread: RE: IM and Presence history
Next by thread: RE: SMTP compared to IM (Re: DNS Choices: Was: [ietf-dkim] Re: Last Call: 'DomainKeys)
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

RE: IM and Presence history

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.