Re: [Isms] What granularity of attributes do we need for the securetransport?

To: Randy Presuhn <randy_presuhn at mindspring.com>
Subject: Re: [Isms] What granularity of attributes do we need for the securetransport?
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Tue, 08 Apr 2008 09:49:04 -0700
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=0.5; a=rsa-sha1; c=relaxed; d=hardakers.net; h=received:from:to:cc:subject:organization:references:date:in-reply-to:message-id:user-agent:mime-version:content-type; q=dns/txt; s=wesmail; bh=jZD+UwyCZCu6S6wGHqO9HvTBWyk=; b=oZIsbmV53QmBhcg3z25pI/xyvk3Dqy7MEBlsOW9ef3ALrYZdqe4RVTXqXuTthfBoTQ6v4jN5hw6BSBv57BXY37azqode7C9BTzplo4Fl6alT3kAlvXavAZfyQy2mrMFpyhDl+iZkXF2fugz72Giubbguf4RBaJqmNXmFuWhyCJA=
In-reply-to: <20080404112201.GB10840 at elstar.local> (Juergen Schoenwaelder's message of "Fri, 4 Apr 2008 13:22:01 +0200")
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <031001c895da$418f5220$0600a8c0 at china.huawei.com> <003401c895ec$9a92edc0$6801a8c0 at oemcomputer> <20080404112201.GB10840 at elstar.local>
Sender: isms-bounces at ietf.org
User-agent: Gnus/5.110007 (No Gnus v0.7) XEmacs/21.4.21 (linux, no MULE)

>>>>> "JS" == Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de> writes:

JS> Security people were in the room when this was discussed and part of
JS> the discussion was also that the SSHTM can blindly trust the SSH layer
JS> without having to peek into the internals of the session state. Since
JS> this meeting, we have worked under the assumption that the SSHTM can
JS> trust the SSH layer to provide proper security. Unless there is a
JS> major new argument, I would prefer to stick with this decision.

In particular, if you're going to outsource the complexity of security
to another protocol, which is being done by using SSH as a transport.
You either have to trust that transport to do the right thing or you are
going to fail to actually outsource much of the complexity in the first
place.  Plus if you strictly require only certain modes of the lower
transport then when it gets security upgrades (eg, new algorithms) you
won't because you too exactly specified requirements of it.

I think if the lower level says it can support authPriv you simply have
to trust it.  Doing anything else adds way too much complexity and layer
interaction that isn't needed.

-- 
Wes Hardaker
Sparta, Inc.
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] What granularity of attributes do we need for the securetransport?
  - From: Randy Presuhn

References:
- Re: [Isms] What granularity of attributes do we need for the secure transport?
  - From: David Harrington
- Re: [Isms] What granularity of attributes do we need for the securetransport?
  - From: Randy Presuhn
- Re: [Isms] What granularity of attributes do we need for the securetransport?
  - From: Juergen Schoenwaelder

Prev by Date: Re: [Isms] What granularity of attributes do we need for the secure transport?
Next by Date: Re: [Isms] What granularity of attributes do we need for the securetransport?
Previous by thread: Re: [Isms] What granularity of attributes do we need for the securetransport?
Next by thread: Re: [Isms] What granularity of attributes do we need for the securetransport?
Index(es):
- Date
- Thread

Re: [Isms] What granularity of attributes do we need for the securetransport?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.