headers
Dave Crocker | 1 Mar 18:50

monthly password reminders -- default to yes vs. no?


Folks,

A member of a mailing list I run complained about getting his mailing list 
password, in the clear, every month.  Apparently this is the default for mailman 
and I hadn't ever thought about it.

Having spent the requisite cognitive effort, after receiving the complaint, I 
find myself unable to form a strong opinion one way or the other.  (Which, by 
itself, might engender a strong opinion, but that's for a different thread.)

Certainly the sending a password in the clear sounds like a terrible idea and 
one might expect it to be enough to mandate turning the default off.
d/
However, these are discussion lists, not mission-critical 
collaboration-and-sign-off lists.  In addition, I find myself forgetting list 
passwords oftend enough to think that getting a periodic reminder doesn't seem 
like such a bad idea.

In other words, this seems like a mechanism worthy of legitimate pro arguments 
and con arguments.

So I thought I'd ask you all for opinions...

--

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
(Continue reading)

Permalink | Reply | 5 comments |
headers
Arnt Gulbrandsen | 1 Mar 20:49
Favicon

Re: monthly password reminders -- default to yes vs. no?


I suspect that this decision serves one purpose only: Less load on the 
humans who manage the lists. I've been in that role for 15 years now, 
so I'm too biased to say anything about whether that's good or bad.

Arnt
Permalink | Reply | 0 comments |
headers
Dave Crocker | 2 Mar 00:15

Multiple message-ids.


Folks,

The email-arch specification notes that Internet standards provide for at most 
one Message-ID, but the document asserts that more than one sometimes appear in 
a message.  I put that in because that's been my impression.

THe assertion has been challenged.  Easiest way to resolve this is to query the 
community.

So, Community, I'm querrying you:

    Do you see multiple message-id's in messages?

    If you do, what affect do they have?

d/
--

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
Permalink | Reply | 9 comments |
headers
Frank Ellermann | 2 Mar 05:55
Picon
Picon

Re: Multiple message-ids.


Dave Crocker wrote:

> the document asserts that more than one sometimes appear
> in a message.

That is a bug.  There should be precisely one Message-ID per
message, set by the UA or MSA / news / list server.  When a
message without Message-ID hits a mail2news gateway, and the
gateway is not sure that there are no other gateways into
the same newsgroup(s), the broken message has to be dropped.  

And a message with more than one Message-ID also has to be 
dropped.  In that case an error report to the broken MSA
could help, IIRC MSAs are supposed to enforce 2822 syntax.

 Frank
Permalink | Reply | 0 comments |
headers
Hector Santos | 2 Mar 06:57
Favicon

Re: Multiple message-ids.


Dave,

I don't expect nor are any our mail software designs, main mail 
processors, distribution, dupe checkers, tracers, gateways or all other 
mail utilities support a silly concept of multiple Message-id: headers 
per message. Of course, it may exist but only one is truly valid.  I 
personally never seen or don't recall ever seeing multiple message-id: 
lines and I can't imagine at this time what would be the effect other 
than only the first or maybe the last one is used.

It is possible there was a mis-communication with your challenger in 
regards to the References: header which includes a list of multiple 
messages ids?

Dave Crocker wrote:
> 
> Folks,
> 
> The email-arch specification notes that Internet standards provide for 
> at most one Message-ID, but the document asserts that more than one 
> sometimes appear in a message.  I put that in because that's been my 
> impression.
> 
> THe assertion has been challenged.  Easiest way to resolve this is to 
> query the community.
> 
> 
> So, Community, I'm querrying you:
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
SM | 2 Mar 07:02

Re: Multiple message-ids.


At 15:15 01-03-2008, Dave Crocker wrote:
>    Do you see multiple message-id's in messages?

No, I haven't noticed that but it may happen.

Multiple message-ids would affect applications that use the 
message-id to reference the message.  MSAs usually verify whether the 
message is RFC 2822 compliant and fix it.

Regards,
-sm
Permalink | Reply | 0 comments |
headers
Alessandro Vesely | 2 Mar 10:54
Picon
Favicon

Re: monthly password reminders -- default to yes vs. no?


Dave Crocker wrote:
> 
> A member of a mailing list I run complained about getting his mailing 
> list password, in the clear, every month.  Apparently this is the 
> default for mailman and I hadn't ever thought about it.

That enforces the requirement that the owner of an email address, the 
"data subject" in European privacy directives parlance, must be able 
to amend or delete the relevant entry of the list.

> Certainly the sending a password in the clear sounds like a terrible 
> idea and one might expect it to be enough to mandate turning the default 
> off.

The user should have been warned to choose a weak password.

> So I thought I'd ask you all for opinions...

IMHO, it is annoying but practical, thus I'd vote yes.

As an alternative, we could have a generic mechanism that maintains a 
distributed database of forwarded email addresses, so that recipients 
can navigate to each entry point where their address is stored along 
with a recipe for forwarding email messages. Besides the accompanying 
chance to fix forwarding, that would provide a framework to seamlessly 
manage

* mailing lists,
* newsletters, and
(Continue reading)

Permalink | Reply | 4 comments |
headers
Ingo Klöcker | 2 Mar 12:19
Picon
Favicon

Re: monthly password reminders -- default to yes vs. no?

On Sunday 02 March 2008, Alessandro Vesely wrote:
> Dave Crocker wrote:
> > A member of a mailing list I run complained about getting his
> > mailing list password, in the clear, every month.  Apparently this
> > is the default for mailman and I hadn't ever thought about it.
>
> That enforces the requirement that the owner of an email address, the
> "data subject" in European privacy directives parlance, must be able
> to amend or delete the relevant entry of the list.

The user can request the password to be sent to him. So it is not 
necessary to send unsolicited password reminders. OTOH, in order to 
request a password reminder the user must know which email address he 
used to subscribe to the mailing list. (Yes, I know that the 
subscribers of this particular mailing list can determine this address 
from the message header. Subscribers to other mailing lists often lack 
the necessary knowledge.) So in the end sending unsolicited password 
reminders saves the mailing list administrator from getting too many 
cries for help from the subscribers.

> > Certainly the sending a password in the clear sounds like a
> > terrible idea and one might expect it to be enough to mandate
> > turning the default off.
>
> The user should have been warned to choose a weak password.

Since mailman automatically chooses a weak, but secure enough password 
the user probably should not be asked for a password at all. This would 
prevent the user from re-using an important password.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Dave Crocker | 2 Mar 13:42

Re: monthly password reminders -- default to yes vs. no?


Ingo Klöcker wrote:
> The user can request the password to be sent to him. So it is not 

In looking at the web page for a mailman mailing list, I do not see how to 
request a password be emailed.

d/
--

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
Permalink | Reply | 1 comment |
headers
Arnt Gulbrandsen | 2 Mar 14:08
Favicon

Re: Multiple message-ids.


Dave Crocker writes:
> So, Community, I'm querrying you:
>
>    Do you see multiple message-id's in messages?

Yes, but very seldom. On the order of once per million messages.

>    If you do, what affect do they have?

There are two varieties.

Sometimes I've seen repeated message-id fields. The exact same ID 
specified twice in the header of the same message. No effect.

Messages with two different message-ids also occur. In the real examples 
I've seen, both IDs were usually added in the same administrative 
domain, although sometimes I wasn't sure of that. This has little or no 
effect. More MUAs construct References from the first ID than from the 
second.

I've never seen a message with more than two Message-ID fields in the 
same header.

All this based on my corpus and YMMV and have a pleasant Sunday.

Arnt
Permalink | Reply | 0 comments |

Gmane