list of 73 problems with ident draft
"Daniel J. Bernstein" <brnstnd@kramden.acf.nyu.edu> Fri, 26 June 1992 16:42 UTC
Received: from ietf.nri.reston.va.us by IETF.NRI.Reston.VA.US id aa06196; 26 Jun 92 12:42 EDT
Received: from NRI.NRI.Reston.Va.US by IETF.NRI.Reston.VA.US id aa06192; 26 Jun 92 12:42 EDT
Received: from ietf.NRI.Reston.Va.US by NRI.Reston.VA.US id aa18142; 26 Jun 92 12:42 EDT
Received: from ietf.nri.reston.va.us by IETF.NRI.Reston.VA.US id aa06186; 26 Jun 92 12:42 EDT
Received: from NRI.NRI.Reston.Va.US by IETF.NRI.Reston.VA.US id aa06182; 26 Jun 92 12:41 EDT
Received: from KRAMDEN.ACF.NYU.EDU by NRI.Reston.VA.US id aa18114; 26 Jun 92 12:41 EDT
Received: from LOCALHOST by KRAMDEN.ACF.NYU.EDU (5.61/1.34) id AA19098; Fri, 26 Jun 92 16:41:49 GMT
Message-Id: <9206261641.AA19098@KRAMDEN.ACF.NYU.EDU>
To: ident@NRI.Reston.VA.US
Subject: list of 73 problems with ident draft
Date: Fri, 26 Jun 1992 12:41:44 +0100
From: "Daniel J. Bernstein" <brnstnd@kramden.acf.nyu.edu>
I have been asked to provide a list of problems with this group's current document, draft-ietf-ident-idserver-00.txt. Issues are labeled as ``easy,'' ``factual,'' ``technical,'' ``larger,'' ``constituency,'' and ``process.'' (Larger issues are basically technical issues, but include issues such as ``what's the point to this unnecessary complexity?'' Process issues are mainly items which weren't properly discussed on the list before being slipped into the document. Constituency issues refer to implementations of RFC 931 variants in general; obviously there's no existing implementation of the Ident protocol per se. I have not attempted here to outline methods to fix the problems listed below, for two reasons: (1) I don't have the time; (2) the methods have all been stated before. I count seventy-three individual problems below. I hope, but have not made any serious attempt to verify, that this list is complete. On the other hand, if each of the seventy-three objections is properly addressed, I'll be so pleased that I won't care about the few minor problems which remain. Lest this promise be misinterpreted: If StJohns continues to slip new extensions and changes into the document without waiting for the group to agree on them, then I probably will object once again. > Identification Server Easy: The document doesn't consistently name the protocol. > The Identification Server Protocol provides a means to determine the > identity of a user of a particular TCP connection. Larger: This is unnecessarily limiting. Also see below about interpretation of identifiers. Constituency: Some of the current use of ident (analogous to the use of finger to transmit weather information) would not be permitted. > The server may then either shut the connection down or > it may continue to read/respond to multiple queries. Larger: There is no demonstrated use for this extension. Technical: It is more difficult to implement a multiple-query server than a single-query server. Constituency: This has not been implemented on a wide scale. > The server > should close the connection down after a configurable amount of > time with no queries - a 60-180 second idle timeout is recommended. Technical: The suggested timeout is too small for many wide-area connections on the current Internet. Technical: In practice it is the client, not the server, which needs to worry about timeouts. Larger: We should not dictate administrative policies such as how long servers should run. Larger: This timeout is unnecessary. Constituency: This timeout has not been implemented. > This means a user > on address A may only query the server on address B about > connections between A and B. Easy: The misplacement of ``only'' makes this sentence confusing. > N.B - "local" and "foreign" are relative. If there is a TCP > connection from host A to host B, <local-port> on host A equals > <foreign-port> on host B and <foreign-port> on host A equals > <local-port> on host B. Factual: This description confuses the protocol concepts of <local-port> and <foreign-port> with certain symmetries in a TCP connection. It is thus incorrect. Larger: Why don't we just give an example? > The character set (if present) is seperated from the operating > system name by "///". (I will ignore the issue of which separator is chosen; it looks like people have settled on comma.) Technical: This makes implementations somewhat more difficult. Constituency: This has not been implemented before. Easy: ``separated.'' > The character set identifier is used to > indicate the character set of the identification string. Larger: What is ``the character set of the identification string'' supposed to *mean*? This is a serious question. If the character set serves no purpose other than to indicate that certain characters will not appear in the coming text, then it's an entirely useless field. If the character set serves to complicate the syntax (see below), then it's worse than useless. Finally, if the character set is meant to dictate the *interpretation* of the identification string, then it is dangerous (see below). Larger: The protocol at hand cannot be implemented until character sets are laid down somewhere. Why are we damaging the protocol in this way? > A particular operating system identifier implies a specific > consistent format for the user identification string. Larger: This remnant of RFC 931 is obsolete. Larger: The questions above about character sets apply equally to ``format.'' Process: This statement has been objected to, repeatedly, by many people, and has not been justified. It should not appear in the document. Constituency: No existing implementation uses the OS identifier to determine identifier format. > E.g. > "UNIX" implies an 8 character user id. Factual: Many UNIX systems---including locally modified variants of otherwise quite standard systems---support longer userids than 8. Technical: For a typical client to obey this restriction requires special handling of userids longer than 8 characters. (This applies only to clients meant to be portable---i.e., all the popular clients today.) Constituency: Existing implementations violate this restriction. Process: This definition was not discussed. > "OCTET" indicates the identifier is an unformatted octet string > - all octets are permissible EXCEPT \000 (NUL), \012 (LF) and > \015 (CR). Technical: For an implementation to support character sets, OCTET, and OTHER requires a significant amount of special-case handling. Larger: Existing use dictates an interpretation of all identifiers in the way specified above for OCTET---but then what happened to the operating system identifier, which was useful for separate reasons? Constituency: No existing implementation supports OCTET. Process: OCTET has not been discussed properly. > N.B. - space characters (\040) following the colon > seperator ARE part of the identifier string and may not be > ignored. Technical: This demands even more special cases in implementation. Larger: Why are we insisting upon making the protocol more complex than it has to be? Why are we damaging the protocol in this way? Process: This change was not agreed upon. Constituency: All implementations ignore white space after the colon. (I admit that this won't be a problem unless someone naively changes ``OTHER'' to ``OCTET'' in some code.) > "OTHER" must be specified if there is no > registered format for a user id for this operating system, Larger: Why are we making this restriction? This is obsolete, just like operating-system-determines-identifier-format. Of course, if the latter is fixed, then this problem will go away too. Constituency: Existing implementations violate this restriction. > Can't determine connection owner; reason unknown. Any error > not covered above should return this error code value. Technical: This contradicts the extensibility of X-errors defined later. > In addition, the server is allowed to drop the query connection > without responding. Constituency: In existing implementations this generally happens only for INVALID-PORT. The point is to give the server an out if the client is misbehaving, not to let the server be obnoxious. [ BNF ] Technical: Does this BNF agree with the text? > 1) White space (blanks and tab characters) between tokens is not > important and may be ignored. Technical: This contradicts the previous statement about OCTET, and the latter is not explicitly identified as taking precedence. > specifically, any amount of white space > is permitted at the beginning or end of a line both for queries > and responses. [ followed by a modification for USERID ] Technical: It complicates server processing to allow for ignored white space at the beginning or end of a line in any situation. Larger: What conceivable purpose is served by allowing white space at the beginning of a line? Constituency: Existing server implementations violate this requirement. > 2) For purposes of comparison for all fields the USERID > field, uppercase is not distinct from lower case. I.e. > "Error" and "ERROR" are the same value. Easy: There's some editing problem here. Technical: This equivalence complicates server processing. Larger: Why are we even bothering to address this issue? What is wrong with simply saying that ERROR is the token and not worrying about it? Constituency: Some (though not all) existing implementations *do* distinguish between upper and lower case in the userid field. Constituency: Existing implementations do not allow lowercase for USERID or ERROR. > 4) The 512 character limit on user IDs and the 64 character > limit on tokens should be understood to mean as follows: a) No > new token (i.e. OPSYS or ERROR-TYPE) token will be defined that > has a length greater than 64 and b) a server SHOULD NOT send > more than 512 octets of user ID and a client MUST accept at > least 512 octets of user ID. Because of this limitation, a > server MUST return the most significant portion of the user ID > in the first 512 octets. Technical: The words ``accept'', ``SHOULD NOT'', and ``MUST'' have not been defined. > 6) Although <user-id> is defined as an <octet-string> above, it > must follow the format and character set constraints implied by > the <opsys-field>; see the discussion above. Easy: This is hopelessly redundant. > Security Considerations: Larger: Why are we discussing security here? Process: Despite the general agreement of nearly everyone involved in the development of this protocol that we should split the security section off into a separate document, there's still a security section here, and we're still arguing about it. Certain issues noted above have to do with the interpretation of identifiers. Constituency: Existing implementations do not interpret identifiers as anything beyond their intrinsic existence as octet strings. Larger: If we define any sort of interpretation of identifiers then we are encouraging people to act along the lines of Sun's idiotic ``+ in rhosts.'' From a security standpoint this is reckless. > The information returned by this protocol is at most as trustworthy > as the host providing it OR the organization operating the host. Technical: The word ``trustworthy'' has not been defined. Technical: The concept of ``operating'' is not relevant to this protocol. Factual: With at least one definition of ``trustworthy,'' this statement is incorrect. Process: This statement is a model of non-consensus and should not appear in the document. (The same comments apply to the remainder of the paragraph.) > The Identity Protocol is not intended as an authorization or access > control protocol. Constituency, process, factual, technical, larger: this statement is *wrong*. Take it away. > The use of the information returned by this protocol for other than > auditing is strongly discouraged. Constituency, process, factual, technical, larger: this statement is *stupid*. Take it away. > Specifically, using Identity > Protocol information to make access control decisions - either as > the primary method (i.e no other checks) or as an adjunct to other > methods may result in a weakening of normal host security. Factual: This statement is so obviously incorrect that I can't believe it's being said with a straight face. Process: This statement has been objected to, repeatedly, and not justified. > An Ident server may reveal information about users, entities, > objects or processes which might normally be considered private. > An Ident server provides service which is a rough analog of the > CallerID (tm) services provided by some phone companies and many of > the same privacy considerations and arguments that apply to the > CallerID service apply to Ident. If you wouldn't run a "finger" > server due to privacy considerations you may not want to run this > protocol. Factual: The CallerID analogy isn't even close to correct. Larger: What is wrong with including *just the last sentence*? ---Dan
- list of 73 problems with ident draft Daniel J. Bernstein