On Wed, May 20, 1998 at 12:25:48AM -0400, Christopher Neill put this into my mailbox:
There are valid reasons for a mail to be sent claiming to be sent from an address it wasnt actually sent from (this is why there is sendmail -f). Identd, on the other hand, is wholly worthless. I can't believe people actually trust it (ie, in wrappers), as it is so trivially forged.
I think the "proxy ident" idea is the most silly thing I've heard in ages. Come up with a rotating key-based way to authenticate clients and we can talk turkey..
I hate to break it to you, but not everyone runs Win95 or a Niftee NT Box where people can forge ident to be whatever they please. Some of us actually run REAL multiuser operating systems where the ident can be trusted. In these cases, the ident value is often the only method we've got for tracking down a particular user. Otherwise, someone who spams, or otherwise abuses someone's services could be any one of a hundred users. When it's properly set up by clueful people and can be trusted, ident is good for exactly one thing: identification. While ident may not need to return a string useful to you or I, it is useful to the ISP in that this string can be used to reliably identify a user (or, most likely, an abuser). In addition, if the *same* string is returned each time ident is queried for a particular user, this can be used in a hosts.deny or other ban. If JoeSpammer@pm65.yourisp.com decides to try and bring down my mail servers by spamming my users with Make Money Fast, I can add JoeSpammer@*.yourisp.com to hosts.deny, and my friend Fred@yourisp.com can still send me e-mail. Same goes for IRC. I don't want to hear any BS about how 'ident is unreliable' and 'ident can't be trusted'. If it's been properly set up such that the ISP controls what is returned rather than the user, or if the protocol is properly redesigned to guarantee this, it *WILL* be trustworthy. And a particular ISP can't be trusted to run a proper ident, then they get their entire network blocked. Right now, if someone from earthlink.net or aol.com or uu.net starts abusing my services, I'm pretty much screwed. Do I let the idiot keep doing it, and hope that the abuse desk gets around to my complaint in the next week? Or do I ban the entire domain and hope to god that the number of e-mails asking what happened is under ten thousand this time? Some way of determining that the user connecting now from ip5.tnt11.max5.dallas.uu.net is the same person who came on collecting passwords from ip2.tnt5.max3.sanantonio.uu.net would be REALLY nice. Note, ident doesn't have to be 100% reliable and trustworthy all of a sudden. Nobody should ever use it for authentication. But it sure would be nice if it (or something like it) could be trusted to determine, to both sides, that UserA who's connecting at 4 PM is the same UserA who connected at 10 AM. That's all it needs to do. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "Never mess with a dragon, for you are Founder, the DALnet IRC Network crunchy, and taste good with ketchup." e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/