Re: draft-ietf-secsh-gss-keyex and null host keys

To: Bill Sommerfeld <sommerfeld%sun.com@localhost>
Subject: Re: draft-ietf-secsh-gss-keyex and null host keys
From: Sam Hartman <hartmans%mit.edu@localhost>
Date: Thu, 31 Mar 2005 22:22:15 -0500

>>>>> "Bill" == Bill Sommerfeld <sommerfeld%sun.com@localhost> writes:

    Bill> one extreme:

    Bill> In general, manually-exchanged-via-trusted-path hostkeys
    Bill> should not be replaced by GSSAPI-authenticated ones; the
    Bill> former may be considered akin to trust anchors.

I'm not actually sure I believe this is true.  In practice the fact
that there is no good rekeying mechanism for manual keys suggests that
you want to be relatively open in accepting mechanisms to rekey.  For
example I'd sort of like to see a dialogue asking if I wanted to
replace a manual key with a gssapi key if there was one.

References:
- Re: draft-ietf-secsh-gss-keyex and null host keys
  - From: Jeffrey Hutzelman
- Re: draft-ietf-secsh-gss-keyex and null host keys
  - From: Bill Sommerfeld

Prev by Date: Re: draft-ietf-secsh-gss-keyex and null host keys
Next by Date: Re: comments on draft-ietf-secsh-filexfer-07.txt
Previous by Thread: Re: draft-ietf-secsh-gss-keyex and null host keys
Next by Thread: Re: draft-ietf-secsh-gss-keyex and null host keys
Indexes:

Home | Main Index | Thread Index | Old Index