Re: I-D ACTION:draft-ietf-secsh-scp-sftp-ssh-uri-00.txt

To: ietf-ssh%netbsd.org@localhost
Subject: Re: I-D ACTION:draft-ietf-secsh-scp-sftp-ssh-uri-00.txt
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Wed, 13 Aug 2003 13:34:40 -0400

Is there a good reason to define scp URLs in addition to sftp URLs?

I don't think explicitly specifying port 22 in all cases where the URL
doesn't specify a port number is correct; what about SRV DNS records?

What is the rationale for allowing the URL to specify information
about ciphers, integrity protection, etc?  It seems allowing this to
be specified might allow an attacker providing a URL to perform a
downgrade attack, which at the very least should be mentioned in the
security considerations section.  There doesn't seem to be anything
prohibiting an attacker from specifying ``none'', either.

It looks to me like there is no mechanism for specifying the public
key host key algorithm to be used, nor does the fingerprint contain
that information.  Combined with only allowing one fingerprint, that
has the potential to cause interoperability problems: if I have a
server with one ssh-rsa key, and one ssh-dss key, and some clients
happen to prefer ssh-rsa over ssh-dss and others are the other way
around, how do I provide a URL with a fingerprint that will work with
both types of clients?

Follow-Ups:
- RE: I-D ACTION:draft-ietf-secsh-scp-sftp-ssh-uri-00.txt
  - From: Joseph Salowey

References:
- I-D ACTION:draft-ietf-secsh-scp-sftp-ssh-uri-00.txt
  - From: Internet-Drafts

Prev by Date: Re: Please publish attached draft-ietf-secsh-break-01
Next by Date: draft-ietf-secsh-fingerprint-01.txt
Previous by Thread: RE: I-D ACTION:draft-ietf-secsh-scp-sftp-ssh-uri-00.txt
Next by Thread: RE: I-D ACTION:draft-ietf-secsh-scp-sftp-ssh-uri-00.txt
Indexes:

Home | Main Index | Thread Index | Old Index