On 10/20/2003 at 16:31:45 -0400, Steven M. Bellovin said:
A number of people havce responded that they don't want to be forced to pay for a change that will benefit Verisign. That's a policy issue I'm trying to avoid here. I'm looking for pure technical answers -- how much lead time do you need to make such changes safely?
I think that the policy problem adds to the technical one. If the community were behind Sitefinder and supported Verisign's design goals, it would be possible to hammer out everything in a short period of time. But because the hearts and minds of those who would make the changes are not won, those responsible for implementing changes would drag their feet, hoard necessary resources, and use the incomplete state of their implementation as an obstacle to change and, should the change happen anyway, use this "evidence" of Verisign's "bad behavior" as an excuse to act openly against the service, on ways that have already been demonstrated. Thus, the human factor will make any purely technical estimate useless. Sadly, I do not feel qualified to give a detailed estimate on your question, as presented, which I find intriguing from a purely theoretical point of view, except to say that there are always going to be one-offs, unique builds, etc that willneed to be changed individually, and even without the sour feeling towards Sitefinder, there will be procrastination and compteting priorities. This is not, and never will be, the only thing that needs working on. Even with complete technical buy-in, I wouldn't expect the mass of users to be covered by these changes until the middle of next year if work started today. -Dave