Re: [David Leonard] draft-ietf-secsh-gsskeyex-09.txt comments

To: David Leonard <David.Leonard%quest.com@localhost>
Subject: Re: [David Leonard] draft-ietf-secsh-gsskeyex-09.txt comments
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Date: Fri, 19 Aug 2005 00:32:03 -0400

On Thursday, August 11, 2005 10:10:54 PM +1000 David Leonard<David.Leonard%quest.com@localhost> wrote:

> * s7.1 In the last phrase "the hostname of the SSH server": Sometimes
>   users specify IP addresses instead of hostnames, and the GSS
>   mechanism is expected to deal with it (rightly so). Now, my concern
>   is with the use of the word 'hostname' in the case of targets
>   specified as network addresses.  As written the par seems to imply a
>   client ought to do reverse   DNS if an IP address is given. So I
> suggest changing "the hostname of   the SSH server" to "the given name
> of the SSH server" or something   like that.

I believe the existing text is correct.  The construction of GSSAPI
host-based service names requires a hostname, not an IP address.  Yes,
that means that if the user provides an IP address, the server will need
to reverse-resolve in a secure fashion.


No. I read RFC2743 s4.1 to say that the canonicalizing of the "hostname"
string is the job of the GSS mechanism, and not that of the SSH server
code.

If you agree, then I think a better correction is to just quote the word
"hostname" in the last sentence of s7.1, as was done in rfc2743 s4.1.

RFC2743's use of quotes there indicates that it is talking about a fieldcalled "hostname". The quotes are not derisive, and are not intended tosuggest that that field is populated with something other than what isnormally meant by that word.

Unfortunately, RFC2743 is rather outdated in this respect, as well as insome others, and in some cases it is also unclear. I believe Sam hasadequately explained the current thinking among people working on GSSAPIregarding hostname canonicaliation. I expect this issue to be explainedrather more clearly in an upcoming revision of the GSSAPI spec.

In the meantime, I still believe the wording in the present document sayswhat we intended, and does not require any changes.

I have been asked to submit an updated version of this document within thenext few days, in order to get it on the agenda for the September 1 IESGtelechat. Unless Bill finds that we have consensus for a change in thisarea, I will submit the draft early next week with no further changes.


-- Jeff

Follow-Ups:
- Re: [David Leonard] draft-ietf-secsh-gsskeyex-09.txt comments
  - From: Bill Sommerfeld

References:
- Re: [David Leonard] draft-ietf-secsh-gsskeyex-09.txt comments
  - From: Jeffrey Hutzelman
- Re: [David Leonard] draft-ietf-secsh-gsskeyex-09.txt comments
  - From: David Leonard

Prev by Date: Re: SFTP server newline convention
Next by Date: I-D ACTION:draft-ietf-secsh-newmodes-05.txt
Previous by Thread: Re: [David Leonard] draft-ietf-secsh-gsskeyex-09.txt comments
Next by Thread: Re: [David Leonard] draft-ietf-secsh-gsskeyex-09.txt comments
Indexes:

Home | Main Index | Thread Index | Old Index