current-users: Re: identd...

Subject: Re: identd...
To: Andrew Brown <atatat@atatdot.net>
From: David Maxwell <david@vex.net>
List: current-users
Date: 12/13/2000 13:56:38
On Tue, Dec 12, 2000 at 05:17:38PM -0500, Andrew Brown wrote:
> >Maybe strong crypto (depending on how you define it) is not necessary to
> >do this from a strict technical point of view, but in the real world
> >using an encrypted reply makes a great deal more sense all around.
> 
> it makes only slightly more sense than saying "six" each time your
> ident server is queried.

I don't know about 'great deal' - but I do see value in it being an
optional way to run your identd.

> it only suffices to say that there is a nice (not "good") way to use
> encryption to do ident service.  his four points can be addressed as
> follows:
[Good summary of how both methods solve the listed problems - omitted]

> >algorithm, but it didn't, so now I've re-integrated the support again,
> >but this time with at least 64-bit DES (if not even something better).

> there's still no use for it.

I think it comes down to this - who should have the responsibility for
maintaining the information?

If MY identd hands you a token which is all the information I will need
back from you if you file a complaint, then I'm no longer responsible
for maintaining my logs such that I can keep or throw them away without
regard to this particular use of them.

if MY identd hands you a timestamp, I'm now required to keep those logs
for a(n unknown) period of time.

> it's only use now is to give an opaque token to the remote admin that
> they can later hand back to you if they need some sort of information.
> if your logs have expired, then you can say "sorry...you took too long
> to ask me about that."  it will be their loss, and they will be no
> worse off than if you hadn't been running one in the first place.
> 
> i have yet to see a court case that *established* a statute of
> limitations that implied a time period over which a system admin is
> expected to archive his logs, so i don't expect the "law" can
> reasonably find themselves put off by your inability to provide logs.
> i keep mine only as long as they are interesting to me.  i have a
> friend who reads (and deletes) his logs regularly.

The encrypted reply option would seem to solve the problem more completely.
(Except for regions with prohibition.)

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
(About an Amiga rendering landscapes) It's not thinking, it's being artistic!
					      - Jamie Woods