Re: draft-ietf-secsh-gsskeyex-06.txt security considerations

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: Re: draft-ietf-secsh-gsskeyex-06.txt security considerations
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Date: Wed, 16 Jul 2003 10:02:19 +0200 (CEST)

On Mon, 14 Jul 2003, Nicolas Williams wrote:

> On Mon, Jul 14, 2003 at 11:52:52AM -0400, Joel N. Weber II wrote:

> > And it seems somewhat asymetrical that security considerations talks
> > about the required properties of a GSSAPI mechanism used for key
> > exchange, but says nothing about user authentication.

I believe the document specifies the minimum properties required for
GSS-API contexts in both keyex and userauth.  As Nico points out, there
are fewer requirements in the userauth case, because there are no
non-context tokens exchanged.

> Perhaps the fact that and reasons why GSS-API replay and out-of-sequence
> detection are not needed at all here and why GSS-API mutual
> authentication and per-message integrity services are not needed in the
> userauth case ought to be stated.

The document has just gone into last call.  I anticipate that there will
be one more cycle to address comments raised during last call and improve
the security considerations section; if so, I'll try to address this issue
more clearly.  But IMNSHO it's not worth a cycle for this alone.

-- Jeff

Follow-Ups:
- Re: draft-ietf-secsh-gsskeyex-06.txt security considerations
  - From: Nicolas Williams

References:
- Re: draft-ietf-secsh-gsskeyex-06.txt security considerations
  - From: Nicolas Williams

Prev by Date: Re: retrying keyex (was: Re: Why SFTP performance sucks, and how to fix it)
Next by Date: Re: SSH_MSG_KEXGSS_HOSTKEY (was: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt)
Previous by Thread: Re: draft-ietf-secsh-gsskeyex-06.txt security considerations
Next by Thread: Re: draft-ietf-secsh-gsskeyex-06.txt security considerations
Indexes:

Home | Main Index | Thread Index | Old Index