Re: ietf-nntp BCP for RFC977 server/RFC1036 interaction
USENET news manager <newsmaster@ucs.cam.ac.uk> Thu, 10 April 1997 09:17 UTC
Received: from cnri by ietf.org id aa09342; 10 Apr 97 5:17 EDT
Received: from ANNOUNCER.ACADEM.COM by CNRI.Reston.VA.US id aa05848; 10 Apr 97 5:17 EDT
Received: (from majordomo@localhost) by announcer.academ.com (8.8.5/8.7.3) id EAA22856 for ietf-nntp-outgoing; Thu, 10 Apr 1997 04:09:18 -0500 (CDT)
X-Authentication-Warning: announcer.academ.com: majordomo set sender to owner-ietf-nntp using -f
Received: from academ.com (root@ACADEM.COM [198.137.249.2]) by announcer.academ.com (8.8.5/8.7.3) with ESMTP id EAA22851 for <ietf-nntp@ANNOUNCER.ACADEM.COM>; Thu, 10 Apr 1997 04:09:15 -0500 (CDT)
Received: from lyra.csx.cam.ac.uk (exim@lyra.csx.cam.ac.uk [131.111.8.36]) by academ.com (8.8.5/8.7.1) with SMTP id EAA02111 for <ietf-nntp@academ.com>; Thu, 10 Apr 1997 04:09:11 -0500 (CDT)
Received: from news by lyra.csx.cam.ac.uk with local (Exim 1.61 #1) id 0wFFqj-0002TV-00; Thu, 10 Apr 1997 10:08:57 +0100
Subject: Re: ietf-nntp BCP for RFC977 server/RFC1036 interaction
To: ietf-nntp@academ.com
Date: Thu, 10 Apr 1997 10:08:57 +0100
In-Reply-To: <199704081459.KAA17038@sulphur.osf.org> from "Rich Salz" at Apr 8, 97 10:59:23 am
From: USENET news manager <newsmaster@ucs.cam.ac.uk>
X-Mailer: ELM [version 2.4 PL22]
Content-Type: text
Message-Id: <E0wFFqj-0002TV-00@lyra.csx.cam.ac.uk>
Sender: owner-ietf-nntp@academ.com
Precedence: bulk
Rich Salz wrote: > >>Given that creating the NNTP-Posting-User header may involve inserting >>information from an external and potentially malicious source > >Don't do that. > >I mean this in a more than flip manner. If the server is attempting to >identify who the client is, and report that information, then it must >have a way of being able to trust the information that it puts out there. >This *might* mean, for example, an admin-maintained list of ipaddr's >where identd can be trusted (e.g., general timesharing machines). That would be totally unworkable in many situations - e.g. here, in a university environment where I have no control over most of the 15K+ systems registered on our network (probably 20% of them running UNIX, rest mostly DOS/Windows PCs and Macintoshes) and a great many of the systems are managed by their owner, some graduate student that got landed with the job, ... in particular, with minimal central control. Probably many thousands of distinct system managers (for varying definitions of system manager). In the case of the LINUX boxes, most people probably don't even realise they're typically giving ident responses out-of-the-box. In an ISP environment, to take another example, where they provide dialup IP connectivity for individual systems or for whatever network the customer has, they are not going to have the time to ask whether ident can be trusted on any, or all, the systems a particular customer has today, and no telling whether it will true for the systems connected tomorrow. They've no way of knowing, in any case, if the person they ask is telling the truth. As long as they pay the bills and stick to the Acceptable Use Policy... If you insist on only "guaranteed" (for some random definition) identity information being included, you probably might as well not bother defining the header, because it will be used so rarely as to be useless. >If you're just gonna randomly connect somewhere and take whatever spews out, >then why not just let the bloody client put whatever value they want? For a start, because in many cases the information will be more trustworthy than information supplied by the newsreader/user, though of course in many cases these days the sysadmin of a random UNIX box is also the user. Even there the ident information may be more reliable, as in the case of LINUX boxes providing it without the sysadmin (=potentially malicious user) even realising it's set up by default. In any case, without some form of tamper-proof signing of all articles, you've no assurance that some server between the originating system and you has not altered the headers (and/or body), even if the ident info or whatever was reliable at the point of posting. On the other hand ... the information in the header, as it reaches you, DOES provide potentially valuable information. It *may* be accurate. Only the person running the originating system will know for sure how reliable it is (and that person may be out to mislead you and dodge responsibility), but for a well-run system with responsible management, if you can point out that user xyz as identified in the header (assuming it reached you unmodified, so they would have to be cautious in trusting what you told them) on their system abc sent an article which was objectionable for some reason, that may at the very least be sufficient for them to have a word with the person concerned. Or after cross-checking with their logging, they might be 99.9% certain that the person really was responsible and take more serious action, or take a harder line during the interview ("you did this, why?" rather than "did you do this?"). John Line -- Cambridge University Computing Service - USENET news manager. Usually John Line newsmaster@ucs.cam.ac.uk (alias {newsmaster,news,usenet}@news.cam.ac.uk)
- ietf-nntp BCP for RFC977 server/RFC1036 interacti… Chris Lewis
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Rich Salz
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… USENET news manager
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Nat Ballou
- RE: ietf-nntp BCP for RFC977 server/RFC1036 inter… Ian King
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Evan Champion
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Evan Champion
- Sender header (was Re: ietf-nntp BCP ...) Chris Newman
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Evan Champion
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Rich Salz
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Evan Champion
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Brian Kantor
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Brian Kantor
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Evan Champion
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Jack De Winter
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… William H. Magill
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Brian Kantor
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Chris Lewis
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Chris Lewis
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Chris Lewis
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… lfirrantello
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Thomas 'Mike' Michlmayr
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Chris Lewis
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Nat Ballou
- ietf-nntp BCP for RFC977 server/RFC1036 interacti… Chris Lewis
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Clive D.W. Feather
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Rich Salz
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Kenneth Herron
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Rich Salz
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… der Mouse
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Clive D.W. Feather
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Rich Salz
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Ade Lovett
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Brian Kantor
- POST, IHAVE, and header-munging (was Re: ietf-nnt… Ade Lovett
- NNTP-Posting-Host (was Re: ietf-nntp BCP for RFC9… Ade Lovett
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Rich Salz
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Ade Lovett
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Anne Bennett
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… der Mouse
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Ade Lovett
- ietf-nntp Announce: Mailing list for RFC 1036 upd… Simon Lyall
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… USENET news manager
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Ade Lovett
- Re: Re: ietf-nntp BCP for RFC977 server/RFC1036 i… Heiko W.Rupp
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Rich Salz
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… USENET news manager
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Rich Salz
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… der Mouse
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… Rich Salz
- Re: ietf-nntp BCP for RFC977 server/RFC1036 inter… der Mouse
- Re: ietf-nntp Announce: Mailing list for RFC 1036… Harald.T.Alvestrand
- Re: ietf-nntp Announce: Mailing list for RFC 1036… Brian Hernacki
- Re: ietf-nntp Announce: Mailing list for RFC 1036… Chris Lewis
- Re: ietf-nntp Announce: Mailing list for RFC 1036… Tom Killalea