IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: draft-ietf-secsh-gss-keyex and null host keys



>>>>> "Bill" == Bill Sommerfeld <sommerfeld%sun.com@localhost> writes:

    Bill> one extreme:

    Bill> In general, manually-exchanged-via-trusted-path hostkeys
    Bill> should not be replaced by GSSAPI-authenticated ones; the
    Bill> former may be considered akin to trust anchors.

I'm not actually sure I believe this is true.  In practice the fact
that there is no good rekeying mechanism for manual keys suggests that
you want to be relatively open in accepting mechanisms to rekey.  For
example I'd sort of like to see a dialogue asking if I wanted to
replace a manual key with a gssapi key if there was one.




Home | Main Index | Thread Index | Old Index