[standards-jig] Discussion on JEP-0016: Server-Based Privacy Rules
dizzyd at jabber.org
Sun Jan 20 00:37:30 UTC 2002
On Sat, Jan 19, 2002 at 02:44:03PM -0500, mlin at mlin.net wrote:
> Hi Diz,
> If you go back and read the earlier messages, x-virge and I both point out
> that the blacklist is trivial to circumvent. Make up a new username or
> cycle the DHCP on your local server, and you have a new JID to play with.
> In this sense, the feature is just a virtualization and it is irrelevant
> whether it is performed on the client or the server. The bandwidth
> argument fails because the blacklist can be circumvented so easily either
I see that I misread your original statement. Yes, people can certainly
make up new JIDs that can then be used to bypass the previous blacklist.
In answer to this, I would suggest that we provide a whitelist
alternative that (for instance) woudl only allow presence subscription
requests through. This would be a giant step forward in solving the
"new-id" problem. Would it provide 100% converage? No. But it
(blacklisting/whitelisting) would provide a valuable feature that many
people have asked for.
> I'm not saying that the blacklist feature will definitely reduce
> scalability. I am saying it is posssible that it will, and we should
> _empirically_ study this before deploying the feature. I can say "no,
> end-to-end argument", you can say "yes, scalability hit to increase
> functionality"; until we test it, it doesn't mean anything.
Agreed. However, what is your proposition for testing the scalability?
We certainly can't stick it into only the .org server and make a
conclusion from that -- I can tell you from experience that the .org
server has a sufficient amount of other bottlenecks that it would be
next to impossisble to make a meaningful determination based on a
sampling of .org server only. I am open to testing it though.
> I urge you to think about the sendmail argument more carefully. The first
> thing to realize is that, with respect to blacklisting, we are not solving
> any new problems. As a common theme I've been pointing out in various
> places recently, many of the problems we are groping with and worrying
> about have been looked at by much smarter and more well-funded people a
> long time ago. This is particularly true of sendmail. Conceptually, Jabber
> is an evolution of sendmail that increases the speed of message delivery,
> and adds a few nice things like presence. It would be foolish to disregard
> the decades of work, money, thought, and time that has gone into that
> system. Where we can innovate, and where we should thus focus on
> innovating, are the few new problems we are solving, like presence
> management and presence-aware web services.
Hmm. I'm trying to not be so hasty as I was this morning (be like
Treebeard!). However, what I'm hearing is, "Let's not worry about
blacklisting since other people (who are smarter and richer) haven't
been able to solve it..." Are you saying something like that or...?
I, for one, am very pro-black/white-listing simply because it's a feature
that people have been asking for. Based on that, we should make a best
effort to provide the feature and move on. It may not be perfect, but it
will solve 80% of the problem.
More information about the Standards