--On Sunday, April 05, 2015 11:38 -0400 Phillip Hallam-Baker
<phill@xxxxxxxxxxxxxxx> wrote:
> On Sun, Apr 5, 2015 at 10:27 AM, Hector Santos
> <hsantos@xxxxxxxx> wrote:
>
>> You know, I will venture that most people who still have FTP
>> as part of their business or whatever, are not paying
>> attention to this noise of "getting rid of it." It would be
>> a disservice if the IETF did something that would begin
>> changing things unbeknowst to them.
>
> They probably aren't aware that they have FTP at all.
>
> Which is exactly the sort of feature that turns into a
> security hole.
It seems to me that the topic was "should the IETF turn off its
FTP Server for I-Ds and other non-RFC documents". Some of us
have said "why not as long as you don't mess up the RFCs".
Others have said "possible problems for IETF participant users
(or lurkers whom we might hope to turn into participants) whom
we might rather have spending energy on participation rather
than tuning their systems. In all cases, the documents
involved are completely public, there are more secure and
private methods available for those who want them, and no one is
being forced to use FTP.
So your threat model for the cases covered by the question is?
Now, of course, if you were just offering free advice to Hector
about how he should run his business or advise his customers,
that is anything matter.
john
p.s. I think the IETF has done the Internet community a
disservice by not examining FTP carefully and updating it in
several areas, including making it more security-, shared
server, and IPv6-friendly. I also think that the model of
separate and asynchronous control and data connections could be
used to good advantage (even including improvements to security
and privacy if carefully thought out) in a number of
applications including situations involving controlled streaming
large amounts of data. And, fwiw, the number of times I've been
saved from various bits of nastiness by running an email client
that won't follow links or execute scripts from HTML messages
are such that I wince every time someone tells me how secure the
web --especially a web that is secured by poorly-regulated
certificates-- is relation to assorted other protocols. But
none of that has anything to do with the question that Ray and
the IAOC asked.