Re: [Isms] ISMS/SSH and notifications

To: Wes Hardaker <wjhns1 at hardakers.net>, "tom.petch" <cfinss at dial.pipex.com>
Subject: Re: [Isms] ISMS/SSH and notifications
From: Jeffrey Hutzelman <jhutz at cmu.edu>
Date: Wed, 14 May 2008 12:02:35 -0400
Cc: isms at ietf.org, jhutz at cmu.edu
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
In-reply-to: <sdve1h7vu1.fsf@wes.hardakers.net>
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <sdskx1wof3.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72809B78@vaebe104.NOE.Nokia.com> <sdwsmcekir.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72890CAD@vaebe104.NOE.Nokia.com> <sdej8g3365.fsf@wes.hardakers.net> <1696498986EFEC4D9153717DA325CB72924F92@vaebe104.NOE.Nokia.com> <029c01c8b519$721a5f80$0601a8c0@allison> <sdve1h7vu1.fsf@wes.hardakers.net>
Sender: isms-bounces at ietf.org

--On Tuesday, May 13, 2008 02:11:50 PM -0700 Wes Hardaker 
<wjhns1 at hardakers.net> wrote:

>>>>>> On Tue, 13 May 2008 16:32:18 +0200, "tom.petch"
>>>>>> <cfinss at dial.pipex.com> said:
> tp> And as has been pointed out several times, when the NO originates
> tp> the session, and the NO is the ssh client, then that credential is a
> tp> public key.
>
> The *client* credential is a public key.  As is the servers.

Not necessarily.  SSH supports key exchange methods in which the server is 
authenticated by a mechanism other than a public key, as well as methods in 
which public key crypto is used, but the server is not identified by a 
specific public key.  It also supports a wide range of user authentication 
methods which are not based on public keys.

Please drop right now any notion that SNMP should track, identify, or 
authorize any engine based on SSH public keys.  To do so would be a serious 
abstraction violation and would defeat or seriously impair the purpose of 
ISMS, which is to allow operators to authenticate SNMP using their existing 
infrastructure.

-- Jeff
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] ISMS/SSH and notifications
  - From: tom.petch
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker

References:
- [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen at nokia.com
- Re: [Isms] ISMS/SSH and notifications
  - From: tom.petch
- Re: [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker

Prev by Date: Re: [Isms] ISMS/SSH and notifications
Next by Date: Re: [Isms] ISMS/SSH and notifications
Previous by thread: Re: [Isms] ISMS/SSH and notifications
Next by thread: Re: [Isms] ISMS/SSH and notifications
Index(es):
- Date
- Thread

Re: [Isms] ISMS/SSH and notifications

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.