Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt

To: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Subject: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Tue, 24 Jun 2003 14:26:13 -0700

I have thought that the gss keyex spec should allow the server to send
its public host keys (as opposed to one public host key).

I think that would be the right thing to do and the right fix.  I don't
mind this none keyex too much though and it may be the easiest way to
resolve your problem.

Cheers,

Nico
-- 

On Tue, Jun 24, 2003 at 05:06:57PM -0400, Joel N. Weber II wrote:
> > draft-ietf-secsh-gsskeyex-06 allows for hosts to give clients their host
> > keys in a secure manner, which makes it possible for subsequent re-keys
> > to work even when the client's GSS-API credentials are expired.
> 
> However, when you use a client that supports both GSS and
> pgp-sign-{rsa,dss} and a server that also supports both of these and
> has a pgp-sign-{rsa,dss} host key, the server will send the
> pgp-sign-{rsa,dss} host key, and it is possible that the client will
> decide that according to whatever trust model and trust values it
> happens to be using, the key isn't trusted, and cause the connection
> to fail.  You could special case it to not consult the trust model
> when rekeying, I guess...
> 
> 
>

Follow-Ups:
- Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
  - From: Joel N. Weber II

References:
- I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
  - From: Internet-Drafts
- Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
  - From: Nicolas Williams
- Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
  - From: Joel N. Weber II

Prev by Date: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Next by Date: Re: gssapi host key algorithm usage
Previous by Thread: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Next by Thread: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Indexes:

Home | Main Index | Thread Index | Old Index