Great Circle Associates Firewalls
(February 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: bogus email
From: ambar @ cygnus . com
Date: Wed, 10 Feb 93 20:54:48 -0800
To: Rahul Dhesi <dhesi @ rahul . net>
Cc: firewalls @ GreatCircle . COM
In-reply-to: Your message of "Wed, 10 Feb 93 19:23:21 PST." <199302110323 . AA22496 @ bolero . rahul . net>

   Date: Wed, 10 Feb 93 19:23:21 -0800
   From: Rahul Dhesi <dhesi @
 rahul .
 net>
   
   Having an identity server's output available allows us to hold a
   specific userid, or the machine owner, accountable for the TCP/IP
   connection.

Ahem.  "The machine owner" is all that we EVER knew.  The userid given
is, simply put, not trustworthy unless the machine owner is, and Ident
gives us NO assurance of the latter.

The original BSD triple says: someone on this machine owned this
connection.  The Ident server says: somebody on this machine owned this
connection.  Why?  Because you can't assume, a priori, that root on
another machine is trustworthy, and that ANYTHING Ident says is useful.

As someone else on this list said: Ident may be useful for internal
security measures (you trust yourself, but don't trust your users), but
is utterly pointless for external security (machines you don't control
and therefore can't trust.)

				AMBAR



Follow-Ups:
References:
Indexed By Date Previous: Re: proxy software? itelnet/iftp? packet screens? X?
From: jim @ tadpole . com (Jim Thompson)
Next: Re: bogus email
From: randy @ psg . com (Randy Bush)
Indexed By Thread Previous: Re: bogus email
From: Rahul Dhesi <dhesi @ rahul . net>
Next: Re: bogus email
From: "Mark I. Williams" <M . Williams @ cc . uq . oz . au>

Google
 
Search Internet Search www.greatcircle.com