Re: Password change (was Re: WG Last Call (third time's the charm?) for SSH core drafts)

["Andersson, Mats" <mats.andersson%appgate.com@localhost>]

On Tue, 5 Feb 2002, Joseph Galbraith wrote:
> > > 2. Add a message like SSH_MSG_USERAUTH_PASSWD_EXPIRING
> > 
> > This seems superior.

I don't see the reason to start doing this change NOW? The
SSH_MSG_USERAUTH_PASSWD_CHANGEREQ as it stands in the draft might not be
perfect but it describes an easy way to handle password change requests
(and it's what is deployed). If one wants to refine this process, one can
either use keyboard-interactive authentication (which is superior in most
ways anyway!) OR one can add this new request at a later stage (it's not
something that has been implemented so why should it come into this set of
drafts?).

About the x509 "problem"; it is really solved with some small
clarifications (see my earlier mails on this). It can easily be moved to a
separate draft which at this stage might be better since there are no
"compliant" implementations anyway).

However, personally I'm happy with just the small clarifications on
signature formats, after all the "x509v3-sign-rsa" and "x509v3-sign-dss"
do REFER to rfc2459 (which in its turn refers PKCS#1), are those documents
underspecified or what are we suggesting here?!?

Also, if the x509 stuff isn't enough specified in the draft, mustn't we
remove ALL other public key formats (i.e. spki and pgp) too? (or are there
something which is clearer with those in the draft, in which case I must
be missing something?).

Cheers,

/Mats