Firewalls: Re: bogus email

Firewalls
(February 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Re: bogus email
From:	ambar @ cygnus . com
Date:	Wed, 10 Feb 93 20:54:48 -0800
To:	Rahul Dhesi <dhesi @ rahul . net>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	Your message of "Wed, 10 Feb 93 19:23:21 PST." <199302110323 . AA22496 @ bolero . rahul . net>

   Date: Wed, 10 Feb 93 19:23:21 -0800
   From: Rahul Dhesi <dhesi @
 rahul .
 net>

   Having an identity server's output available allows us to hold a
   specific userid, or the machine owner, accountable for the TCP/IP
   connection.

Ahem.  "The machine owner" is all that we EVER knew.  The userid given
is, simply put, not trustworthy unless the machine owner is, and Ident
gives us NO assurance of the latter.

The original BSD triple says: someone on this machine owned this
connection.  The Ident server says: somebody on this machine owned this
connection.  Why?  Because you can't assume, a priori, that root on
another machine is trustworthy, and that ANYTHING Ident says is useful.

As someone else on this list said: Ident may be useful for internal
security measures (you trust yourself, but don't trust your users), but
is utterly pointless for external security (machines you don't control
and therefore can't trust.)

				AMBAR

Follow-Ups:

Re: bogus email
From: rens @ lorax . shearson . com (Rens Troost)
Re: bogus email
From: "Mark I. Williams" <M . Williams @ cc . uq . oz . au>

References:

Re: bogus email
From: Rahul Dhesi <dhesi @ rahul . net>

Indexed By Date	Previous:	Re: proxy software? itelnet/iftp? packet screens? X? From: jim @ tadpole . com (Jim Thompson)
Indexed By Date	Next:	Re: bogus email From: randy @ psg . com (Randy Bush)
Indexed By Thread	Previous:	Re: bogus email From: Rahul Dhesi <dhesi @ rahul . net>
Indexed By Thread	Next:	Re: bogus email From: "Mark I. Williams" <M . Williams @ cc . uq . oz . au>