gssapi host key algorithm usage

To: <ietf-ssh%netbsd.org@localhost>
Subject: gssapi host key algorithm usage
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Tue, 24 Jun 2003 09:21:00 -0400

The secsh transport draft suggests that there can be different kinds
of host key algorithms, and that some key exchange operations may
support different host key algorithms than others.

The idea that GSS mechanisms don't have host keys strikes me as
confused.  As far as I can tell, if I have a Kerberos 5 principal
named host/foo.example.com%EXAMPLE.COM@localhost and I store that encryption key
in /etc/krb5.keytab on the host foo.example.com, it is very much the
case that that krb5.keytab is a form of a host key.  As far as I know,
all GSS mechanisms that anyone cares about for use with ssh do support
host keys, albeit abstracted away to the point where ssh protocol
designers and implementers don't directly deal with them.

On furthur thought, I don't really understand why gss-group1-sha1-*
has to be defined as gss-group1-sha1-*.  Wouldn't it have been cleaner
to define it as gss-group1-sha1 and then put information on which gss
mechanism is being used in the host key algorithm field?

It may well be too late to change now for gss-group1-sha1 (on the
other hand, sxw's patches seem to have survived a change in the
OID->string conversion), but if gss-group-exchange-sha1 gets defined,
I hope it will use the host key field to specify which GSS mechanism
to use.

Follow-Ups:
- Re: gssapi host key algorithm usage
  - From: Nicolas Williams

Prev by Date: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Next by Date: Re: gssapi host key algorithm usage
Previous by Thread: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Next by Thread: Re: gssapi host key algorithm usage
Indexes:

Home | Main Index | Thread Index | Old Index