RE: [Isms] #2: is server authentication a requirement that SNMP w illrequire

["McDonald, Ira" <imcdonald at sharplabs.com>]

Hi,

Rather than passing around X.509 certificates (which are large),
many mobile protocols are passing around the _hashes_ of X.509
certificates (sometimes just for the second through nth session
between the same two endpoints - makes session restart faster).

Does SSH have session restart similar to TLS?

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221  Grand Marais, MI  49839
phone: +1-906-494-2434
email: imcdonald at sharplabs.com

> -----Original Message-----
> From: isms-bounces at lists.ietf.org 
> [mailto:isms-bounces at lists.ietf.org]On
> Behalf Of Kaushik Narayan (kaushik)
> Sent: Monday, October 17, 2005 1:24 PM
> To: j.schoenwaelder at iu-bremen.de
> Cc: dbharrington at comcast.net; isms at ietf.org
> Subject: RE: [Isms] #2: is server authentication a 
> requirement that SNMP
> willrequire
> 
> 
> Hi Juergen,
> 
> Please find my reply inline.
> 
> <snipped>
> 
> Management applications at the very end also have a human being
> involved. I don't see a reason why a management application 
> can't do the
> same as my ssh client does when you hit a box you have not talked to
> before. Initiate a dialog with a human decision maker, open a 
> ticket in
> a trouble ticket system or whatever the app writer seeks 
> appropriate to
> get an OK to accept the key. This is all implementation detail for me.
> 
> 
> <Kaushik>
> 
> Although management applications have a human involved, the
> communication with the device might not happen in real time. 
> Almost all
> changes to the network (configuration) and all collection (inventory,
> fault, performance) of data from the network happens at a time that is
> least disruptive to the network. Also there are cases wherein devices
> need to be pre-provisioned where the operator might not be in the loop
> when the sign-of-life shows up from the device.
> 
> This does raise the requirement for the public keys being available to
> the NMS before communication to the device happens, this will 
> have to be
> done manually for a start and X.509 certs support in SSH will reduce
> this administrative burden. Again these may well be seen outside the
> realm of SSHSM but I think we need to make sure that 
> operators are aware
> of the administrative chores required to deploy SSHSM since deployment
> was a key barrier to entry for USM and a main reason why ISMS was
> created.
> 
> Regards,
>   kaushik!
> 
> _______________________________________________
> Isms mailing list
> Isms at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
> 

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms