IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Updated Section 11 online



Hi.

This is your wg chair speaking.

I've been busy with the day job so i haven't been as active as I'd
like but you've been making steady albeit slow progress on this.

That said, with the impending I-D publications deadline for the Vienna
meeting, I think it's time to shoot the engineers and ship these
documents.

Remember, they're only going to Proposed Standard.  

Anyone who has objections to reissuing the documents with the text
proposed in:

  http://www.employees.org/~lonvick/newssh010.html

should speak up now.

Anyone with objections MUST SUPPLY PRECISE SUGGESTED EDITS.  

In particular, in order to hold the documents you MUST CONVINCE ME
THAT IT'S A SHOWSTOPPER that can't be fixed when we go to draft
standard.

With regards to the issues remaining:

> 1) There should be an explicit discussion of the problem that in the
> real world, hosts occasionally get reinstalled, CNAMEs sometimes move
> around, etc.  When this happens, people often learn that the meaning
> of the man in the middle attack warning is simply that they should
> delete the relevant line of their known_hosts file.  

Anyone who feels that this issue is a showstopper should provide
corrected text to this list by this Friday.

> 2) It would be useful to discuss how if public key userauth is used,
> the mitm will not be able to authenticate to the real server as the
> user, because the signature will be against the wrong session
> identifier.

Not a showstopper as it doesn't disclose a weakness in the protocol.

> 3) It would be useful to mention that if agent forwarding is enabled,
> and if the host key of a bogus server is accepted by the client, the
> man in the middle *will* be able to authenticate to the real server.
> It should probably be recommended that agent forwarding be disabled by
> default.

Agent forwarding is not part of the core drafts.  Not a showstopper.

						- Bill



Home | Main Index | Thread Index | Old Index