This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/db-wg@ripe.net/
mnt-nfy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Janos Zsako
zsako at banknet.net
Fri Oct 18 12:25:02 CEST 1996
> From owner-db-wg at ripe.net Fri Oct 18 08:19:02 1996 > In my opinion notifications should *not* be sent to the originator of > the change request. We had too many complaints about too many > notifications. Those wishing to receive notifications of their own > changes can easily achieve that by putting an alias mailbox into their > notification attributes. I think I have no problem with the above (I mean I will not argue in favour of changing this). > Note also that this smartness quite consciously introduces less > 'security' because it allows someone to make clandestine changes by > forging his From:-address to avoid notification. We did this because > those with really high security requirements shoud use maintainers with > a stronger authentication menthod. Correct. However I originally noticed that this "feature" also works by adding a Reply-to: in the header... My point at the RIPE meeting was that when sending an update with a Reply-to, the mnt-nfy DOES get a "warning" message, that somebody made SOME updates, (since the "Congratulations" are sent to her), but has no clue wrt. WHAT exactly has been modified (usually the Subject: line does not provide accurate information - if at all)... (Of course, the situation can be even worse if the From: line is forged...) If I remember correctly, at the DB-WG session the absence of the notification (in the Reply-to case at least) was considered a *bug*. I still incline to consider the "Reply-to case" a bug (or *unwanted* feature). Forging the mail header is usually less trivial than adding a Reply-to. The latter can even occur inadvertently (this is how I discovered all the above). Janos PS. I suppose (and strongly hope :)) the authentication is based on the From: and not the Reply-to:.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]