Date: 2 Apr 2002 00:23:56 -0000 From: "D. J. Bernstein" <djb@cr.yp.to> To: chat@freebsd.org Subject: Re: qmail (Was: Maintaining Access Control Lists ) Message-ID: <20020402002356.6243.qmail@cr.yp.to>
next in thread | raw e-mail | index | archive | help
Benjamin Krueger writes: > Its a charlatan's promise. He fails to define security, or bug, or anything > else really, and retains the right to define it at a later time (preferably > after you've already reported it). If a company were to offer to pay you for > your services in finding bugs, but not define bug or security, and after many > years nobody was ever able to get a successful claim out of them despite > getting many submissions, it would be called Fraud. There have been zero submissions for the qmail security guarantee. There have been zero submissions for the djbdns security guarantee. The documentation in the very first qmail release pointed out that there are many remote denial-of-service attacks on Internet mail. Later, when I offered a security guarantee, I quite clearly excluded those attacks. (15 January 1997: ``Some holes that don't qualify: corrupting DNS data; breaking TCP/IP; breaking NFS; denying service.'') If you think that Venema submitted his ``attack,'' or that my comments on the stupidity of his ``attack'' are the only reason that the security guarantee remains unclaimed, you are massively confused. Furthermore, I find it strange that you allude to the sentence ``My judgment is final as to what constitutes a security hole in djbdns'' from http://cr.yp.to/djbdns/guarantee.html without even mentioning the next sentence: ``Any disputes will be reported here.'' You also neglect to mention that my web page names four broad classes of security holes, with three examples of specific BIND bugs (1998 IQUERY, 1999 NXT, 2001 TSIG) as illustrations. There are no disputed examples, so there's no point in writing a more comprehensive definition. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020402002356.6243.qmail>