On Wed, May 20, 1998 at 11:57:29AM -0400, Jay R. Ashworth put this into my mailbox:
On Wed, May 20, 1998 at 08:26:28AM -0700, Dalvenjah FoxFire wrote:
I hate to break it to you, but not everyone runs Win95 or a Niftee NT Box where people can forge ident to be whatever they please. Some of us actually run REAL multiuser operating systems where the ident can be trusted. [ ... ] I don't want to hear any BS about how 'ident is unreliable' and 'ident can't be trusted'. If it's been properly set up such that the ISP controls what is returned rather than the user, or if the protocol is properly redesigned to guarantee this, it *WILL* be trustworthy. And a particular ISP can't be trusted to run a proper ident, then they get their entire network blocked.
I hate to point this out, Dal, but what is being asserted is that "the operator of the ident daemon is not under the same administrative span of control as I am". _That_ is why we say that it "cannot be trusted". Trust has a _very specific_ meaning there.
Okay...I can understand that. However, if the protocol gets redesigned to allow for a 'domain-wide' ident server (for sake of argument), and I set up my client to put up a flag when it gets an answer from the domain-wide server as opposed to the host server, I'm going to put more trust in that domain-wide server than I would a response from the host directly. It was also just pointed out to me that the idea of banning someone based on ident is a matter of authentication, not identification, and so doesn't really have a place in this discussion. I'm willing to forego that, and reserve that discussion for a different protocol.
It _might_ be reliable... but then again, it might not. Unless _you_ have a _contract_ with the _guy at the other end_, specifying that he'll run an authenticated ident server, and guarantee on pain of indemnity that it's accurate, you can't call it _trustworthy_.
There _is_ a difference between that and _useful_, however.
Agreed. Part of my original idea (which is now my main idea for this discussion) is that time and time again, I have gotten responses to complaints about users that 'we need another incident so we can correlate this with our logs properly'; or even better, 'oops, looks like we weren't logging yesterday'. If we can come up with some form of ident that makes it a no-brainer for the ISP to a) set up and b) plug in a string and get the username (or other identification token) and timestamp so they can give the user a good talking to or yank their account, I will be happy. My problem is folks who make sweeping declarations that because one isn't sure when one can trust ident, it's not useful at all. That's not the case. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) I bet living in a nudist colony takes Founder, the DALnet IRC Network all the fun out of Halloween. e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/