Hi On Thu 30/Jan/2014 22:17:25 +0100 Alissa Cooper wrote: > On 1/30/14 10:52 AM, "Alessandro Vesely" <vesely@xxxxxxx> wrote: >> On Wed 29/Jan/2014 17:16:56 +0100 IAB Chair wrote: >>> >>> The document is available for inspection here: >>> https://datatracker.ietf.org/doc/draft-iab-filtering-considerations/ >> >> Albeit it purports to keep clear of (un)ethical considerations, the >> document seems to be oriented toward government-imposed restrictions, >> recounting how it would be better to move filtering to collaborative >> endpoints rather than disrupting Internet operation, since bad actors >> can circumvent filtering anyway. I fully agree, but I think that a >> general purpose document on this subject might have touched on such >> points as password management, user identification, and outbound port > > Could you expand a bit about what you feel is missing as regards to > password management and user identification? Blocking dictionary attacks is an obvious requirement for any server endpoint. Perhaps that topic is not really /missing/, since it is so obvious and apparently overworked. However, most of the applications which log authentication failures don't support tracking the number of failed attempts against a given password. Thus, policies blindly require passwords to be changed after T days, irrespectively of the entropy that a password had and the amount of it that could have been eroded by failed attempts. So maybe that topic is not as overworked as it may appear. Upon authentication, a user-id qualifies an endpoint. Together with a realm-id, it makes a global identifier. Email address confirmation can be considered a kind of rendezvous service, which users can block by discarding the request. The exchange of marketing profile data between unscrupulous operators, often based on email addresses, is a kind of abusive or objectionable communication. Disposable addresses are an example of a mechanism to block that indirectly. They require endpoint-based support at both ends, which is rather uncommon. Thank you for your interest Ale