Re: secsh-sftp-scp-uri draft

[Heikki Nousiainen <htn%sumu.org@localhost>]

Hello,

My few cents:

On Wed, 20 Aug 2003, Steve Suehring wrote:
> 1.  Default port issue
> 
> Status:  Proposed change- "If the port is not included, the default port 
> (22) is assumed."

Sounds reasonable.


> 2.  Specifying ciphers etc as parameters

I fail to see the need for these. Client already has a list of preferred 
algorithms and server can dictate use of a specific cipher as the drafts 
stand.
Only place I can find this useful is when server wants to use a cipher not 
allowed by the default client policy (say, des or none). I'd be 
very wary allowing such action.

Educate me, if I've missed something.


[snip]
> 
> 4.  Multiple host key algorithms and fingerprints

I'd like to see fingerprints removed from the draft. I think it's calling 
for trouble in a way of man-in-the-middle or impersonation attacks.


> 5.  Security considerations in trusted vs. untrusted URLS

Is there such a thing as trusted URL? I doubt it. Maybe the source can be 
verified, but there's no validity protection on the URL itself. Consider 
someone being able to post content on a trusted site. Or an attacker 
tricking some trusted user to send crafted URL in e-mail. An employee gone 
bad and sending a malicious URL.

It's hard to get it right, and in my opinion, the risks far outweigh the 
benefits (maybe some anonymous SFTP scheme?).


My suggestion:
Let the SSH/SCP/SFTP URIs be location pointers, and remove connection 
parameters altogether. Treat all URIs as 'untrusted' and let SSH handle
the decissions over connection setup.


 Best regards,
  Heikki Nousiainen