Text 2317, 85 rader
Skriven 2004-08-04 12:23:00 av Alex Shakhaylo (2:461/701)
   Kommentar till text 2315 av Matt Bedynek (1:106/1)
Ärende: internet connectivity FSP
=================================
*** Answering a msg seen in area CC (CC).

Hi, Matt!

04 Aug 04 02:01, Matt Bedynek said to Alex Shakhaylo:

 AS>> (FTP, SMTP, POP3, IMAP, HTTP, forgot something ?)

 AS>> This scheme is plain simple:

 AS>> username is an FTN address
 AS>> password is session password (for secure links)
 AS>>             blank or anything (for insecure links and
 AS>>             plain authentication)
 AS>>             '-' (for insecure links and CRAM-MD5 based
 AS>>             authentication)

 MB> This is no different than FTP (another "standard" I believe does not
 MB> belong). With user based authentication one cannot operate in the
 MB> traditional "fidonet sense".  "anonymous" connections for simple
 MB> netmail exchange is not possible. A connection must be setup before
 MB> communication can take place.

As long as login data is a function of FTN address, it is very
vell possible to make "anonymous" connections. The problem is
in case of "anonymous" connection you never know who is a real
poster.

 MB> The good thing about BinkP and EMSI
 MB> (et.al.) is that items can be placed on hold for pickup w/o a
 MB> password
 MB> (if needed) and anonymous communication is possible.  If I want to
 MB> setup a secure connection I can drop off netmail, request you place
 MB> the response on hold, and poll back in a few days.  One cannot do this
 MB> with FTP or this new HTTP implementation (it appears).  I also doubt
 MB> it can be done with the various e-mail based transport methods but I
 MB> might be wrong there.

The same here. 1:106/1 is your login to any of my services
(emsi, binkp, ftp, http, smtp and pop3). And I can drop you
a message on hold and you can pick it up in any of the ways,
but without a session password I cannot be sure that it was
you who picked it up. The same with binkp and emsi. Somebody
can setup your address as AKA in his mailer and pick up in-
secure mail.

During a week of test period I've got about 10 messages from
1:1/1, some messages from 1:1/3, a pair messages from 1:10/3
and so on. So you may pretty well to login "anonymously", but
this doesn't have much sense.

 MB> I consider listing things which do not improve connectivity to be
 MB> redundant padding.  Your nodelist entry is generally setup to
 MB> facilitate easy communication with those you do not communicate with
 MB> on a regular basis.

Exactly. You can connect my system very easy with any email
client or internet browser or FTP client. I can drop you a
message on hold and you can get convinced that we don't need
to have a private agreement to use my additional services,
but I'm afraid that anybody can login instead of you and pick
up your mail (and then delete it). This is a leak of any "ano-
nymous" service -- you can't know who actually is on a remote
side. And this does concern EMSI and binkp in the very same
extent.

 MB> Now, if http does sucessfully allow insecure connections then it must
 MB> operate in a dropoff mode only not allowing the anonymous nodes to
 MB> pickup or see files it droppe off because systems with high bandwidth
 MB> will be used as "warez site".

No. You can drop a message only to sysop and post a file only to
sysop and read only mail that is addressed to you (I mean that is
packed for your address) You cannot use my server as a cache for
the messages and files without ageement with me.

 MB> Finally, does any software support this
 MB> standard?

Radius does ;)

Bye, Sinc, Alex

--- GoldED/W32 3.0.1
 * Origin: , (2:461/701)