On Tuesday 03 February 2004 1:33 am, Hallam-Baker, Phillip wrote:
I don't think we need to go to the process level. In the first place
I don't think it can be enforced. You are proposing to use an
untrustworthy unauthenticated service for this information.
I don't know where you get the idea that identd is untrustworthy. It serves
the purpose and ends of the administrator of the host it is running on.
If domain "xyz.com" chooses to trust the identd on "shells.xyz.com", because
they consider the administrator of that machine to be trustworthy _but_ not
wishing to trust all the users, why not let them?
If domain "abc.com" chooses to trust the ident service on the firewall/gateway
host at "gateway.abc.com" because they know it has been correctly configured
to return a unique token for each originating host behind the gateway, why
not let them?
Secondly if someone is on a machine licensed to send from example.com
then that is good enough. Trying to go beyond that is too much.
As I have explained, that is not neccessarily true.
There are Windows versions here:
http://identd.dyndns.org/identd/
http://sourceforge.net/projects/identd/
And how likely are they to be secure?
I don't care, few windows shops will want to use %{u} at first and when they
do they can go and make/buy a secure identd. It is chicken-and-egg.
This argument is just FUD and you know it.
Just because UNIX is the most commonly used mutli-user system
and hence the
most common identd user is no reason to say it is UNIX-specific.
I would turn intd off on a unix box as well, far too much
info for hckers.
You are welcome to. What on earth does that have to do with the proposal?
Or are you saying that any feature which you _personally_ don't have a use for
is a bad idea?
Is ident likely to make it through a firewall? This is the
type of service I
would turn off both incomming and outgoing.
It depends on how you configure the firewall, which in turn
depends on what
you want. Like whether or not you wish to support ident.
The client queries will almost certainly break because most
companies will not allow inetd queries.
Then they should not configure their domains with %{u} !!!
Anyone can misconfigure their systems with conflicting requirements. Saying 'I
want ident macro expansion' in your SPF records and then blocking ident
queries at your firewall would be dumb beyond belief.
I really can't see the relevance of this point. Did you come up with it just
to irritate me? If so, you've succeeded!
Perhaps you simply don't understand the proposal...
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡