Dear Richard: I will suggest a couple of minor modifications: New paragraph:
> > The operator should be should be cognizant that the preceding mechanisms > do not address all security risks. In particular, they will not help in > the case of “malicious clients” possessing valid credentials to > authenticate. The threat here can be that legitimate clients have > become subverted by an attacker and are now ‘bots’ being asked to > participate in a DDoS attack. The Calendar information would be valuable > information for when to persecute a DDoS attack. A mechanism such as > a monitoring system that detects abnormal behaviors may still be > needed." > Suggested changes: The operator should be should be cognizant that the preceding mechanisms do not address all security risks. In particular, they will not help in the case of “malicious clients” possessing valid authentication credentials. The threat here is that legitimate clients have become subverted by an attacker and are now ‘bots’ being asked to participate in a DDoS attack. The Calendar information now becomes valuable in knowing exactly when to perpetrate a DDoS attack. A mechanism such as a monitoring system that detects abnormal behaviors may still be needed. Cheers, - vijay [ Trimmed the Cc list to avoid email explosion on a minor change. ]
_______________________________________________ alto mailing list alto@ietf.org https://www.ietf.org/mailman/listinfo/alto