Re: gss userauth

To: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Subject: Re: gss userauth
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Wed, 27 Aug 2003 09:52:31 -0700

On Wed, Aug 27, 2003 at 12:47:00PM -0400, Joel N. Weber II wrote:
> So, what goals do we have in mind with changes to the spec?  I think
> the requirements we have are basically:
> 
> 1) stronger bindings
> 
> 2) backwards compatibility
> 
> 3) a preference toward ease of implementation
> 
> I think we can get 1 and 2 quite easily using either a mic or channel
> bindings.  I think 3 favors a mic, because it's not at all clear that
> channel bindings are particularily mature, and we don't want to have
> to create a lot of infrastructure to be able to solve this problem if
> there's a simpler fix.
> 
> Nico, were there other goals you had in mind?

Security. :)

I don't think we can get all those goals with channel bindings _now_ -
we could have, much earlier, but not now that implementations have been
deployed.

As it is I think Jeff's proposal (partial userauth + a new useruath that
has the client send a GSS MIC) is the best approach that obtains all of
these goals.

Cheers,

Nico
--

References:
- draft minutes from IETF57 secure shell meeting.
  - From: Bill Sommerfeld
- gss userauth
  - From: Love
- Re: gss userauth
  - From: Love Hörnquist Åstrand
- Re: gss userauth
  - From: Sam Hartman
- Re: gss userauth
  - From: Love
- Re: gss userauth
  - From: Sam Hartman
- Re: gss userauth
  - From: Nicolas Williams
- Re: gss userauth
  - From: Joel N. Weber II
- Re: gss userauth
  - From: Joel N. Weber II

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index