Re: [Exim] Ident/Auth

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Sheldon Hearn
CC: Conor Mc Goveran, exim-users
Subject: Re: [Exim] Ident/Auth
On Fri, 6 Aug 1999, Sheldon Hearn wrote:

> On Fri, 06 Aug 1999 13:47:07 +0100, Philip Hazel wrote:
>
> > I don't think, however, that we should perpetuate the use of "auth" to
> > refer to this protocol, expecially in the light of later developments
> > such as RFC 2554, which describes an SMTP AUTH verb.
>
> It'd be unfortunate to take that stance, since auth is the canonical
> name of the service, while ident is an alias. See RFC1700.


I disagree. From RFC 1413:

The Identification Protocol was formerly called the Authentication
Server Protocol. It has been renamed to better reflect its function.

There was a flame war at the time, I seem to recall, because this
protocol really does *not* authenticate in any sense of the word.
Many people, to whom it was first presented as "authentication"
described it as useless rubbish. I still have trouble explaining to
people from time to time what it actually does and is useful for. They
say "It's trivially forged, so why bother?".

What I say to such people is this: "It is not trivially forged by
unprivileged users of multiuser hosts. If a user on one of our
multi-user machines abuses one of your hosts and you haven't logged the
RFC 1413 ident information from our host, then tough. We can't begin to
try to find out who it was from our thousands of users. We give out
RFC 1413 information for *our* use, not yours."

I note that RFC 1700 is now nearly 5 years old. I think things have
moved on, and in particular, as I noted, other forms of "real
authentication" are now on the scene (RFCs 2222, 2554, for example).

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.