Re: ``WHY TAP?'': A White Paper
Anders Andersson <andersa@mizar.docs.uu.se> Sat, 15 August 1992 03:22 UTC
Received: from ietf.nri.reston.va.us by IETF.NRI.Reston.VA.US id aa09659; 14 Aug 92 23:22 EDT
Received: from NRI.NRI.Reston.Va.US by IETF.NRI.Reston.VA.US id aa09655; 14 Aug 92 23:22 EDT
Received: from ietf.NRI.Reston.Va.US by NRI.Reston.VA.US id aa25813; 14 Aug 92 23:23 EDT
Received: from ietf.nri.reston.va.us by IETF.NRI.Reston.VA.US id aa09650; 14 Aug 92 23:22 EDT
Received: from NRI.NRI.Reston.Va.US by IETF.NRI.Reston.VA.US id ac09646; 14 Aug 92 23:22 EDT
Received: from sunic.sunet.se by NRI.Reston.VA.US id aa25798; 14 Aug 92 23:23 EDT
Received: from Mizar.DoCS.UU.SE by sunic.sunet.se (5.65c8/1.28) id AA27107; Sat, 15 Aug 1992 05:22:53 +0200
Received: by Mizar.DoCS.UU.SE (Sun-4/260, SunOS 4.0) with sendmail 5.61-bind 1.5+ida/ICU/DoCS/mizar id AA23809; Sat, 15 Aug 92 05:22:45 +0200
Date: Sat, 15 Aug 1992 05:22:45 +0200
From: Anders Andersson <andersa@mizar.docs.uu.se>
Message-Id: <9208150322.AA23809@Mizar.DoCS.UU.SE>
To: tytso@athena.mit.edu
Subject: Re: ``WHY TAP?'': A White Paper
Cc: brnstnd@kramden.acf.nyu.edu, ident@NRI.Reston.VA.US
Ted writes: >This is what my comment was referring to. I believe the sendmail patch >checks to see if the from address matches the username returned from the >ident server, either rejects or marks the mail as being forged if it >does not match. This will clearly break if you are using encrypted >Ident username tokens. I haven't examined the sendmail patch myself, but I think the procedure outlined above would reject quite a lot of non-forged mail as well. It's not always the case that the From: user owns the process performing actual delivery, as it may have been queued up for some reason and transmitted due to the actions of a system daemon. If the message has landed on an intermediary host, the 'user' performing actual delivery has most likely nothing to do whatsoever with the user who originated the message. At most, the SMTP server receiving the message can log the IDENT token, so it can be checked if a forgery is suspected. The operator of the SMTP server can then--after the fact--add a filter to reject or give other special treatment to further SMTP connections coming from that particular host and linked with that particular token, but that assumes the tokens aren't uniquely generated for each connection to be meaningful. As I understand it, the SMTP server can be configured from the very beginning to reject this kind of forgery (SMTP clients run by non- authorized users) *only* upon agreement with the SMTP client operator on which IDENT tokens should be assumed to represent authorized SMTP client users. There is no requirement that authorized users are always called "root", "daemon" or something like that, and it's even unlikely when we leave the Unix sphere. -- Anders Andersson, Dept. of Computer Systems, Uppsala University Paper Mail: Box 520, S-751 20 UPPSALA, Sweden Phone: +46 18 183170 EMail: andersa@DoCS.UU.SE
- ``WHY TAP?'': A White Paper Daniel J. Bernstein
- Re: ``WHY TAP?'': A White Paper Theodore Ts'o
- Re: ``WHY TAP?'': A White Paper Anders Andersson
- Re: ``WHY TAP?'': A White Paper Theodore Ts'o
- Re: ``WHY TAP?'': A White Paper Anders Andersson
- Re: ``WHY TAP?'': A White Paper Peter Eriksson
- Re: ``WHY TAP?'': A White Paper Daniel J. Bernstein
- Re: ``WHY TAP?'': A White Paper Daniel J. Bernstein