IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Last Call: Using DNS to securely publish SSH key fingerprints to Proposed Standard
Was it considered to allow for other security mechanisms to
authenticate the SSHFP data, besides DNSSEC? The document says:
2.4 Authentication
A public key verified using this method MUST only be trusted if the
SSHFP resource record (RR) used for verification was authenticated by
a trusted SIG RR.
Clients that do not validate the DNSSEC signatures themselves MUST
use a secure transport, e.g. TSIG [8], SIG(0) [9] or IPsec [7],
between themselves and the entity performing the signature
validation.
This seem to require that DNSSEC is used by at least some entity.
I believe this is an unnecessary restriction, and that SSHFP would be
more useful if it the wording was changed to allow for any secure
mechanism. The document may mention that it was designed for DNSSEC
and that DNSSEC is the recommended way to authenticate data, but I
believe it should not explicitly preclude other (secure) ways of
authenticating the SSHFP data.
Some scenarios that are precluded by the current text:
* TSIG/IPSEC-protected query to authoritative server with SSHFP.
* TSIG/IPSEC-protected query to trusted server with SSHFP. (The
server may have received the data using a secure channel from the
authoritative server.)
* Using data from zone files received securely out of band. (E.g.,
via SSH, or by mail protected by CMS or OpenPGP, from the
authoritative domain.)
Thanks.
(I searched the SSH mailing list but could not find anything related
to this. I'd appreciate a pointer if this has discussed before.)
The IESG <iesg-secretary%ietf.org@localhost> writes:
> The IESG has received a request from the Secure Shell Working Group to
> consider Using DNS to securely publish SSH key fingerprints
> <draft-ietf-secsh-dns-04.txt> as a Proposed Standard.
>
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send any comments to the
> iesg%ietf.org@localhost or ietf%ietf.org@localhost mailing lists by 2003-5-19.
>
> Files can be obtained via http://www.ietf.org/internet-drafts/draft-ietf-secsh-dns-04.txt
Home |
Main Index |
Thread Index |
Old Index