[OpenISO] TELNET
Norbert Bollow
nb at bollow.ch
Sat Sep 8 20:04:32 CEST 2007
Tonnerre LOMBARD <tonnerre at ffii.org> wrote:
> > ### Comment 1: ###
> > No use of UNICODE or other international character set approved by
> > OpenISO.
>
> In fact, as you even copied above, it does not use _any_ character set
> at all. telnet is a n 8-bit byte oriented message exchange facility, and
> as such leaves it up to the applications running on top of it to define
> the character set. (e.g. the login program/sequence on UNIX systems.)
I'm allocating to this comment about E400#1 the identifier E400#10
My comment E400#11 on comments E400#1, E400#8, E400#10:
Comment E400#10 makes a good point. The TELNET protocol allows to
transmit any character encoding transparently, including Unicode
character encodings. Comments E400#1, E400#8 are therefore invalid.
> > ### Comment 2: ###
> > There is no message integrity verification, so commands can be inserted
> > and removed
>
> The message integrity verification is left to the communication layer
> telnet is running on, in this case TCP. This is important to notice,
> because the protocol IPv6 supports an additional IP Security feature
> which will actually take care of this. So the problem was rather in
>
> 1. the understanding of security at that point in time (1983), causing
> 2. the relative insecurity of the IP and TCP transmission layer.
>
> If you consult your OSI layer map, you will realize quickly that data
> coherency and protection is actually a layer 4 feature, while telnet is
> situated on upper layers.
>
> > ### Comment 3: ###
> > There is no message secrecy, so commands and parameters can be seen
>
> See above.
>
> > ### Comment 4: ###
> > The authentication password is transmitted in plaintext
>
> See above. Also, authentication is not a method of the telnet protocol.
> You can authenticate securely over telnet using the Kerberos
> authentication facility.
I'm allocating to this comment about E400#2. E400#3, E400#4 the
identifier E400#12.
My comment E400#13 on comments E400#9, E400#12:
Comment E400#12 makes a good point. The conclusion of comment E400#9
is therefore invalid.
> > ### Comment 5: ###
> > There is an alternative standard called SSH without the problems in
> > comments 1-4.
>
> But one might argue that SSH actually does these things on the wrong
> layer. It is possible to have a perfectly secure telnet session over the
> new IPv6 protocol suite.
I'm allocating to this comment about E400#5 the identifier E400#6.
> > ### Comment 6: ###
> > The plaintext protocol is so raw that it can be used to manually debug and
> > interact with other simple plaintext protocols such as HTTP, by sending
> > plaintext queries and visualizing the responses.
(Note: this comment has been given the identifier E400#7 because there
were to different comments labelled "Comment 5" in the draft that was
posted.
> That's kindof =C2=ABstandard abuse=C2=BB ;-)
I'm allocating to this comment about E400#7 the identifier E400#14.
> > - No Patents: See Comment #.
I'm allocating to this "no patents" statement the identifier E400#15.
> Actually, if you're picky, there are patents that might cover telnet.
> There is, for example, a patent on remote execution of commands which
> covers all of HTTP, RPC, telnet and ssh. The applicability of this
> patent is highly debated but not judged yet. If you want to find it, try
> http://ep.espacenet.com/advancedSearch?locale=3Den_EP
I'm allocating to this "no patents" statement the identifier E400#16.
My comment E400#17 on comments E400#1..E400#16:
I think we can approve RFC 854 with a rating of "Recommended in some
contexts" unless further concerns are raised.
Greetings,
Norbert.
--
Norbert Bollow <nb at bollow.ch> http://Norbert.ch
President of the Swiss Internet User Group SIUG http://SIUG.ch
Working on establishing a non-corrupt and
truly /open/ international standards organization http://OpenISO.org
More information about the Discuss
mailing list