Re: WG chair nits on draft-ietf-secsh-dns-02.txt

To: Bill Sommerfeld <sommerfeld%netbsd.org@localhost>
Subject: Re: WG chair nits on draft-ietf-secsh-dns-02.txt
From: Jakob Schlyter <jakob%crt.se@localhost>
Date: Thu, 20 Mar 2003 01:42:27 +0100 (CET)

we suggest the following changes.

	jakob

@@ -304,7 +304,14 @@
    <t>
     As stated in <xref target="policy"></xref>, we recommend that SSH
     implementors provide a policy mechanism to control the order of
-    methods used for host key verification.
+    methods used for host key verification. One specific scenario for
+    having a configurable policy is where clients use unqualified host
+    names to connect to servers. In this case, we recommend that SSH
+    implementations check the host key against a local database before
+    verifying the key via the fingerprint returned from DNS. This
+    would help prevent an attacker from injecting a DNS search path
+    into the local resolver and forcing the client to connect to a
+    different host.
    </t>

    <t>

Follow-Ups:
- Re: WG chair nits on draft-ietf-secsh-dns-02.txt
  - From: Bill Sommerfeld

References:
- WG chair nits on draft-ietf-secsh-dns-02.txt
  - From: Bill Sommerfeld

Prev by Date: preliminary version of counter mode draft
Next by Date: 答复: Relationship between user name and public key pair in Authentication Protocol
Previous by Thread: WG chair nits on draft-ietf-secsh-dns-02.txt
Next by Thread: Re: WG chair nits on draft-ietf-secsh-dns-02.txt
Indexes:

Home | Main Index | Thread Index | Old Index