draft-ietf-secsh-dns-{01,02} diff

To: IETF Secure Shell WG <ietf-ssh%netbsd.org@localhost>
Subject: draft-ietf-secsh-dns-{01,02} diff
From: Jakob Schlyter <jakob%crt.se@localhost>
Date: Thu, 21 Nov 2002 20:42:38 -0500 (EST)

upcoming changes for -02. seems reasonable? We know of no other
outstanding issues.

	jakob & wes


Index: draft-ietf-secsh-dns-xx.xml
===================================================================
RCS file: /cvs/sshdev/draft/draft-ietf-secsh-dns-xx.xml,v
retrieving revision 1.34
retrieving revision 1.38
diff -u -r1.34 -r1.38
--- draft-ietf-secsh-dns-xx.xml	3 Nov 2002 13:51:08 -0000	1.34
+++ draft-ietf-secsh-dns-xx.xml	21 Nov 2002 16:13:45 -0000	1.38
@@ -1,13 +1,13 @@
 <?xml version='1.0' encoding='ISO-8859-1' standalone='no' ?>
 <!DOCTYPE rfc SYSTEM "rfc2629.dtd">

-<!-- $Id: draft-ietf-secsh-dns-xx.xml,v 1.34 2002/11/03 13:51:08 jakob Exp $ -->
+<!-- $Id: draft-ietf-secsh-dns-xx.xml,v 1.38 2002/11/21 16:13:45 jakob Exp $ -->

 <?rfc toc="yes" ?>
 <?rfc compact="yes" ?>
 <?rfc editing="no" ?>

-<rfc ipr="full2026" docName="draft-ietf-secsh-dns-01.txt">
+<rfc ipr="full2026" docName="draft-ietf-secsh-dns-02.txt">

  <front>
   <title abbrev="DNS and SSH fingerprints">Using DNS to securely
@@ -118,11 +118,20 @@

    <section anchor="policy" title="Implementation notes">
     <t>
-     Client implementors SHOULD to provide a configurable policy used
+     Client implementors SHOULD provide a configurable policy used
      to select the order of methods used to verify a host key and
      which fingerprints to trust ultimately, after user confirmation
      or not at all.
     </t>
+    <t>
+     One specific scenario for having a configurable policy is where
+     clients use unqualified host names to connect to servers. In this
+     scenario, the implmentation SHOULD verify the host key against a
+     local database before verifying the key via the fingerprint
+     returned from DNS. This would help prevent an attacker from
+     injecting a DNS search path into the local resolver and forcing
+     the client to connect to a different host.
+    </t>
    </section>

    <section title="Fingerprint matching">
@@ -354,15 +363,12 @@

  <back>

-  <references>
+  <references title="Normative References">
+
    <?rfc include="reference.RFC.1034.xml"?>
    <?rfc include="reference.RFC.1035.xml"?>
    <?rfc include="reference.RFC.2119.xml"?>
-   <?rfc include="reference.RFC.2411.xml"?>
    <?rfc include="reference.RFC.2535.xml"?>
-   <?rfc include="reference.RFC.2845.xml"?>
-   <?rfc include="reference.RFC.2931.xml"?>
-   <?rfc include="reference.RFC.3007.xml"?>

    <reference anchor="ssh-architecture">
     <front>
@@ -415,6 +421,15 @@
     <seriesInfo name="work in progress"
      value="draft-ietf-secsh-transport-15.txt"/>
    </reference>
+
+  </references>
+
+  <references title="Informational References">
+
+   <?rfc include="reference.RFC.2411.xml"?>
+   <?rfc include="reference.RFC.2845.xml"?>
+   <?rfc include="reference.RFC.2931.xml"?>
+   <?rfc include="reference.RFC.3007.xml"?>

   </references>

Prev by Date: Re: SSHv2 GSS spec issue wrt gss error tokens
Next by Date: churn, churn, churn
Previous by Thread: Secure Shell (SECSH) agenda for IETF 55 (Atlanta)
Next by Thread: churn, churn, churn
Indexes:

Home | Main Index | Thread Index | Old Index