Re: draft-ietf-secsh-gss-keyex and null host keys

To: Bill Sommerfeld <sommerfeld%sun.com@localhost>
Subject: Re: draft-ietf-secsh-gss-keyex and null host keys
From: Sam Hartman <hartmans-ietf%mit.edu@localhost>
Date: Tue, 12 Apr 2005 10:38:31 -0400

>>>>> "Bill" == Bill Sommerfeld <sommerfeld%sun.com@localhost> writes:

    Bill> (and complicating #1 is the interaction with the SSH DNS
    Bill> fingerprint document, because that *is* a way of securely
    Bill> exchanging the fingerprints out of band, at least if dnssec
    Bill> is turned on...)

I'd argue that gss-authenticated keys are out-of-band in the same
sense that the dns document is.  The signed key is exchanged by a
mechanism that does not depend on that key being a trust anchor for
the security of the exchange.  I.E. in one case my trust anchor is
some DNS related key, in another case it is a Kerberos key or some
other GSS credential.

Follow-Ups:
- Re: draft-ietf-secsh-gss-keyex and null host keys
  - From: Bill Sommerfeld

References:
- Re: draft-ietf-secsh-gss-keyex and null host keys
  - From: Jeffrey Hutzelman
- Re: draft-ietf-secsh-gss-keyex and null host keys
  - From: Jeffrey Hutzelman
- Re: draft-ietf-secsh-gss-keyex and null host keys
  - From: Bill Sommerfeld

Prev by Date: Re: draft-ietf-secsh-gss-keyex and null host keys
Next by Date: Re: draft-ietf-secsh-gss-keyex and null host keys
Previous by Thread: Re: draft-ietf-secsh-gss-keyex and null host keys
Next by Thread: Re: draft-ietf-secsh-gss-keyex and null host keys
Indexes:

Home | Main Index | Thread Index | Old Index