Re: gssapi host key algorithm usage

To: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Subject: Re: gssapi host key algorithm usage
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Tue, 24 Jun 2003 17:03:19 -0500

Joel points out that one cannot specify a preference such as:

 - 1st, pubkey keyex with pgp-sign-{dss,rsa} keys
 - 2nd, gss keyex with some mechanism
 - 3rd, pubkey keyex with ssh-{dss,rsa} keys

I think Joel's right.

Joel's proposed solution, i.e., treating the GSS-API mechanisms as host
key algorithms (which I find to be conceptually incorrect) would not
work, I think.

The KEXINIT packets probably should have, from the get go, negotiated

{keyex method, <keyex method specific arguments (host keys, GSS mechs)>}

tuples, but it doesn't.

One solution might be to add aliases of the pubkey keyex methods (e.g.,
diffie-hellman-group1-sha1) for use with PGP and other non-ssh-{dss,rsa}
host key types.  I think this would solve the problem.

I'll think about it more when I have the time for it.

Cheers,

Nico
--

Follow-Ups:
- Re: gssapi host key algorithm usage
  - From: Nicolas Williams

References:
- gssapi host key algorithm usage
  - From: Joel N. Weber II
- Re: gssapi host key algorithm usage
  - From: Nicolas Williams
- Re: gssapi host key algorithm usage
  - From: Joel N. Weber II
- Re: gssapi host key algorithm usage
  - From: Nicolas Williams

Prev by Date: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Next by Date: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt
Previous by Thread: Re: gssapi host key algorithm usage
Next by Thread: Re: gssapi host key algorithm usage
Indexes:

Home | Main Index | Thread Index | Old Index