Re: [Isms] ISMS/SSH and notifications

To: Jeffrey Hutzelman <jhutz at cmu.edu>
Subject: Re: [Isms] ISMS/SSH and notifications
From: Wes Hardaker <wjhns1 at hardakers.net>
Date: Wed, 14 May 2008 09:59:42 -0700
Cc: isms at ietf.org
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=0.5; a=rsa-sha1; c=relaxed; d=hardakers.net; h=received:from:to:cc:subject:organization:references:date:in-reply-to:message-id:user-agent:mime-version:content-type; q=dns/txt; s=wesmail; bh=w31Tr6HamxNxoNFKwyjIh/XkwjY=; b=dj1fsJLe73T8G0y69R7SuJlu15OjtIedUGXVkIHB+sqA7ml7Ud0rz9h3YWtLwObS6ajk1xxercjn+IiRNuzEYWucU0Q3QyzTjDYdskO3E3h3+Hw55hhgtqQR6vDF8tubjRkzPmdevGgIYEEVQJ6fr1xmMEm95B6lhXEZhpwebE4=
In-reply-to: <DA6783536F3B0D93FFE8E219@sirius.fac.cs.cmu.edu> (Jeffrey Hutzelman's message of "Wed, 14 May 2008 12:02:35 -0400")
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Organization: Sparta
References: <sdskx1wof3.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72809B78@vaebe104.NOE.Nokia.com> <sdwsmcekir.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72890CAD@vaebe104.NOE.Nokia.com> <sdej8g3365.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72924F92@vaebe104.NOE.Nokia.com> <029c01c8b519$721a5f80$0601a8c0@allison> <sdve1h7vu1.fsf@wes.hardakers.net> <DA6783536F3B0D93FFE8E219@sirius.fac.cs.cmu.edu>
Sender: isms-bounces at ietf.org
User-agent: Gnus/5.110007 (No Gnus v0.7) XEmacs/21.4.21 (linux, no MULE)

>>>>> On Wed, 14 May 2008 12:02:35 -0400, Jeffrey Hutzelman <jhutz at cmu.edu> said:

JH> Please drop right now any notion that SNMP should track, identify, or
JH> authorize any engine based on SSH public keys.

I never said that directly (well, I probably implied it).  What I said
was that the client has to know the credentials of the other side in
order to protect against mitm attacks.  The client will have to specify
somehow which remote authentication mechanisms and credentials are
trusted.  To not do this would be to blindly allow ssh to always
perform a leap of faith which is very insecure and prone to mitm issues.

JH> To do so would be a serious abstraction violation and would defeat
JH> or seriously impair the purpose of ISMS, which is to allow operators
JH> to authenticate SNMP using their existing infrastructure.

This may well be done through existing known hosts and key material.

-- 
Wes Hardaker
Sparta, Inc.
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

References:
- [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen at nokia.com
- Re: [Isms] ISMS/SSH and notifications
  - From: tom.petch
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Jeffrey Hutzelman

Prev by Date: Re: [Isms] ISMS/SSH and notifications
Next by Date: Re: [Isms] ISMS/SSH and notifications
Previous by thread: Re: [Isms] ISMS/SSH and notifications
Next by thread: Re: [Isms] ISMS/SSH and notifications
Index(es):
- Date
- Thread

Re: [Isms] ISMS/SSH and notifications

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.