|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Suggestion for improved identD
On Wed, May 20, 1998 at 11:57:29AM -0400, Jay R. Ashworth put this into my mailbox: > On Wed, May 20, 1998 at 08:26:28AM -0700, Dalvenjah FoxFire wrote: > > I hate to break it to you, but not everyone runs Win95 or a Niftee NT > > Box where people can forge ident to be whatever they please. Some of us > > actually run REAL multiuser operating systems where the ident can be trusted. > [ ... ] > > I don't want to hear any BS about how 'ident is unreliable' and 'ident > > can't be trusted'. If it's been properly set up such that the ISP controls > > what is returned rather than the user, or if the protocol is properly > > redesigned to guarantee this, it *WILL* be trustworthy. And a particular > > ISP can't be trusted to run a proper ident, then they get their entire > > network blocked. > > I hate to point this out, Dal, but what is being asserted is that "the > operator of the ident daemon is not under the same administrative span > of control as I am". _That_ is why we say that it "cannot be > trusted". Trust has a _very specific_ meaning there. Okay...I can understand that. However, if the protocol gets redesigned to allow for a 'domain-wide' ident server (for sake of argument), and I set up my client to put up a flag when it gets an answer from the domain-wide server as opposed to the host server, I'm going to put more trust in that domain-wide server than I would a response from the host directly. It was also just pointed out to me that the idea of banning someone based on ident is a matter of authentication, not identification, and so doesn't really have a place in this discussion. I'm willing to forego that, and reserve that discussion for a different protocol. > It _might_ be reliable... but then again, it might not. Unless _you_ > have a _contract_ with the _guy at the other end_, specifying that > he'll run an authenticated ident server, and guarantee on pain of > indemnity that it's accurate, you can't call it _trustworthy_. > > There _is_ a difference between that and _useful_, however. Agreed. Part of my original idea (which is now my main idea for this discussion) is that time and time again, I have gotten responses to complaints about users that 'we need another incident so we can correlate this with our logs properly'; or even better, 'oops, looks like we weren't logging yesterday'. If we can come up with some form of ident that makes it a no-brainer for the ISP to a) set up and b) plug in a string and get the username (or other identification token) and timestamp so they can give the user a good talking to or yank their account, I will be happy. My problem is folks who make sweeping declarations that because one isn't sure when one can trust ident, it's not useful at all. That's not the case. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) I bet living in a nudist colony takes Founder, the DALnet IRC Network all the fun out of Halloween. e-mail: [email protected] WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
|