Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Tue, 24 Jun 2003 17:06:57 -0400

> draft-ietf-secsh-gsskeyex-06 allows for hosts to give clients their host
> keys in a secure manner, which makes it possible for subsequent re-keys
> to work even when the client's GSS-API credentials are expired.

However, when you use a client that supports both GSS and
pgp-sign-{rsa,dss} and a server that also supports both of these and
has a pgp-sign-{rsa,dss} host key, the server will send the
pgp-sign-{rsa,dss} host key, and it is possible that the client will
decide that according to whatever trust model and trust values it
happens to be using, the key isn't trusted, and cause the connection
to fail.  You could special case it to not consult the trust model
when rekeying, I guess...

Follow-Ups:
- Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
  - From: Nicolas Williams

References:
- I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
  - From: Internet-Drafts
- Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
  - From: Nicolas Williams

Prev by Date: Re: gssapi host key algorithm usage
Next by Date: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Previous by Thread: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Next by Thread: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Indexes:

Home | Main Index | Thread Index | Old Index