From owner-freebsd-chat  Mon Apr  1 16:25: 3 2002
Delivered-To: freebsd-chat@freebsd.org
Received: from muncher.math.uic.edu (muncher.math.uic.edu [131.193.178.181])
	by hub.freebsd.org (Postfix) with SMTP id 1F18F37B417
	for <chat@freebsd.org>; Mon,  1 Apr 2002 16:24:58 -0800 (PST)
Received: (qmail 11207 invoked by uid 1001); 2 Apr 2002 00:23:56 -0000
Date: 2 Apr 2002 00:23:56 -0000
Message-ID: <20020402002356.6243.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: chat@freebsd.org
Subject: Re: qmail (Was: Maintaining Access Control Lists )
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-chat.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-chat>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-chat>
X-Loop: FreeBSD.org

Benjamin Krueger writes:
> Its a charlatan's promise. He fails to define security, or bug, or anything
> else really, and retains the right to define it at a later time (preferably
> after you've already reported it). If a company were to offer to pay you for
> your services in finding bugs, but not define bug or security, and after many
> years nobody was ever able to get a successful claim out of them despite
> getting many submissions, it would be called Fraud.

There have been zero submissions for the qmail security guarantee. There
have been zero submissions for the djbdns security guarantee.

The documentation in the very first qmail release pointed out that there
are many remote denial-of-service attacks on Internet mail. Later, when
I offered a security guarantee, I quite clearly excluded those attacks.
(15 January 1997: ``Some holes that don't qualify: corrupting DNS data;
breaking TCP/IP; breaking NFS; denying service.'')

If you think that Venema submitted his ``attack,'' or that my comments
on the stupidity of his ``attack'' are the only reason that the security
guarantee remains unclaimed, you are massively confused.

Furthermore, I find it strange that you allude to the sentence ``My
judgment is final as to what constitutes a security hole in djbdns''
from http://cr.yp.to/djbdns/guarantee.html without even mentioning the
next sentence: ``Any disputes will be reported here.''

You also neglect to mention that my web page names four broad classes of
security holes, with three examples of specific BIND bugs (1998 IQUERY,
1999 NXT, 2001 TSIG) as illustrations. There are no disputed examples,
so there's no point in writing a more comprehensive definition.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message