Re: WG Chair comments on draft-ietf-secsh-agent-01.txt

[Simon Tatham <anakin%pobox.com@localhost>]

Bill Sommerfeld  <sommerfeld%east.sun.com@localhost> wrote:
>  2) security considerations section doesn't mention the case where you
>     do an ssh-add into a forwarded agent connection.  While this
>     exchange is protected via encryption, it does involve casually
>     moving a long-term public keypair over the net to a remote system,
>     which should raise a few eyebrows..

Hmm. I tend to see it the other way round. In the designed usage
model, the real agent is running on your _local_ system, which is
usually the only one you trust with your private keys. If you do an
ssh-add from a remote system, the potential problem is not the
transfer of the key to your trusted local machine: it's the fact
that the remote system somewhere on the Internet which you're
transferring the key _from_ had access to both the key file and the
passphrase. Or, if you're concerned about attacks on the network
connection between them, then the damage is probably already done
once you've typed the passphrase through your SSH connection.

I'm tempted to suggest that if you _must_ store your private key
remotely, then the only sensible mode of use is to transfer it
_encrypted_ to your local agent and have that prompt for the
passphrase. But that's getting back to my pet extension feature :-)

> Any comments from the rest of the WG?

I posted several comments on the agent draft on 28th April, which
are still in the list archives. The only response I got was from
Damien Miller supporting one of my suggestions. If anyone is
actually collecting comments, please don't overlook those.

Cheers,
Simon
-- 
Simon Tatham         These are my opinions. There are many
<anakin%pobox.com@localhost>   like them but these ones are mine.