[openssl-users] Spam and posting controls

Johann v. Preußen jvp at forthepolls.org
Wed Apr 20 06:55:53 UTC 2016 

Mr. Salz:

despite mr dukhovni's assertion that spam is not a problem and that people that 
are concerned about it are a problem, i contend that the seeming laxness of list 
controls is the core problem and spam is just an indicating vector. to wit:

'/List membership is not public/' which may be true until someone busts into the 
list and become privy to all of the personal data of posters. such intrusions 
will continue until someone addresses these breeches for what they are: security 
lapses.

'/Only members can post to the list/' is obviously not true when the same party 
which has prompted this thread posted to the list twice in a short time-frame 
(and this has happened before) from IP's without rDNS, from a bogus 
email/domain, and via an unknown MTA. these glitches can be easily caught in 
postfix when it is set up with a pretty minimalist approach to security.

my comment re aliases goes to the concern that a list that is all about 
HTTP/SMTP security and identity surety is freely dispersing so much personally 
identifiable subscriber information (PII) that is of such a high order of 
sensitivity that it is protected under U.S. Title XIII with parallel Canadian 
codes, even more stringent EU reg's such as 'Directive 95/46/EC' and the 
newly-enacted 'General Data Protection Regulation' ('GDPR'), and some EU Member 
regulations with stronger protections than those embodied in 95/46/EC (such as 
Nederland 'Wet bescherming persoonsgegevens' and UK 'Data Protection Act' 
amongst others).

in reality, openssl has no choice but to eventually comply with GDPR which would 
prohibit what is currently being done. so, it would be best to just get on with 
adapting all openssl systems to meet higher ethical and regulatory standards 
before they are embarrassingly imposed or, much worse, be shown to have operated 
in such a way that system breeches at subscriber firms could be traced back to 
openssl.


Thank you,

Johann v. Preußen


On 2016.Apr.19 19:03, Salz, Rich wrote:
>> the wider problem case is how non-subscribers are given two-way access to the list that exposes so much subscriber info (name, professional affiliation, email addr, ...) to whomever. i cannot fathom why the list does not make use of aliases so that each subscriber can control what they want to make public via their alias profile.
> List membership is not public .  Only members can post to the list.  Not sure what else you think we are doing wrong.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160419/3484a586/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3825 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160419/3484a586/attachment-0001.bin>

More information about the openssl-users mailing list