IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt



> draft-ietf-secsh-gsskeyex-06 allows for hosts to give clients their host
> keys in a secure manner, which makes it possible for subsequent re-keys
> to work even when the client's GSS-API credentials are expired.

However, when you use a client that supports both GSS and
pgp-sign-{rsa,dss} and a server that also supports both of these and
has a pgp-sign-{rsa,dss} host key, the server will send the
pgp-sign-{rsa,dss} host key, and it is possible that the client will
decide that according to whatever trust model and trust values it
happens to be using, the key isn't trusted, and cause the connection
to fail.  You could special case it to not consult the trust model
when rekeying, I guess...






Home | Main Index | Thread Index | Old Index