Re: WG Chair comments on draft-ietf-secsh-agent-01.txt

To: Bill Sommerfeld <sommerfeld%east.sun.com@localhost>
Subject: Re: WG Chair comments on draft-ietf-secsh-agent-01.txt
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Wed, 16 Jul 2003 06:44:23 -0700

On Tue, Jul 15, 2003 at 06:25:52PM -0400, Bill Sommerfeld wrote:
> Two comments:
> 
>  1) "split" references (there's only one and it's normative)
> 
>  2) security considerations section doesn't mention the case where you
>     do an ssh-add into a forwarded agent connection.  While this
>     exchange is protected via encryption, it does involve casually
>     moving a long-term public keypair over the net to a remote system,
>     which should raise a few eyebrows..
> 
> It is not clear to me what we should do about this.  Either we should:
> 
> a) suggest that implementations detect and warn about this case,
> 
> or 
> 
> b) redesign the protocol so that SSH_AGENT_PRIVATE_KEY_OP requests
>  flow towards the node with the key rather than having all keys and
>  requests flow to the "root" agent.
> 
> Any comments from the rest of the WG?

Perhaps an optional message could be added to indicate that a node has
added a key to the [now distributed] agent.  Of course, now we'd have
bidirectional agent channels, with requests and responses going in
either direction.

Nico
--

References:
- WG Chair comments on draft-ietf-secsh-agent-01.txt
  - From: Bill Sommerfeld

Prev by Date: Re: draft-ietf-secsh-gsskeyex-06.txt security considerations
Next by Date: Re: draft-ietf-secsh-assignednumbers-03.txt
Previous by Thread: Re: WG Chair comments on draft-ietf-secsh-agent-01.txt
Next by Thread: Re: WG Chair comments on draft-ietf-secsh-agent-01.txt
Indexes:

Home | Main Index | Thread Index | Old Index