Re: [Isms] ISMS/SSH and notifications

To: "David Harrington" <ietfdbh at comcast.net>, <Pasi.Eronen at nokia.com>, <isms at ietf.org>
Subject: Re: [Isms] ISMS/SSH and notifications
From: "tom.petch" <cfinss at dial.pipex.com>
Date: Tue, 20 May 2008 14:38:34 +0200
Delivered-to: ietfarch-isms-web-archive at core3.amsl.com
Delivered-to: isms at core3.amsl.com
List-archive: <http://www.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
References: <sdskx1wof3.fsf@wes.hardakers.net><07c601c8b6d3$69bce180$0600a8c0@china.huawei.com><1696498986EFEC4D9153717DA325CB72A13B84@vaebe104.NOE.Nokia.com> <07dd01c8b75d$65989880$0600a8c0@china.huawei.com>
Reply-to: "tom.petch" <cfinss at dial.pipex.com>
Sender: isms-bounces at ietf.org

----- Original Message -----
From: "David Harrington" <ietfdbh at comcast.net>
To: <Pasi.Eronen at nokia.com>; <isms at ietf.org>
Sent: Friday, May 16, 2008 4:01 PM
Subject: Re: [Isms] ISMS/SSH and notifications


> > -----Original Message-----
> > From: Pasi.Eronen at nokia.com [mailto:Pasi.Eronen at nokia.com]
> > Sent: Friday, May 16, 2008 6:41 AM
> > To: ietfdbh at comcast.net; isms at ietf.org
> > Subject: RE: [Isms] ISMS/SSH and notifications
> >
<snip>
>
> If we need to use server-auth rather than user-auth for notifications,
> then we need to tell operators they should configure the paramstable
> for notifications with the appropriate host identity. Assume user
> "Alice" is located at host "gandalf". If the admin wants to send traps
> to host gandalf, rather than specifically to Alice, then put an entry
> for gandalf in the target/paramstable configuration.
>

I keep coming back to this because I see this as the 'open issue' - SSH
authentication is asymmetric - that remains stubbornly open while the rest may
be tricky but it is more along the lines of 'implementation detail'.

What is the host identity (or identifier)? (The public key?)

SSH (RFC4251) says
"Each server host SHOULD have a host key"
" The server host key is used during key exchange to verify that the
   client is really talking to the correct server."
"Two different trust models can be used.
    The client has a local database that associates each host name (as
      typed by the user) with the corresponding public host key....
    The host name-to-key association is certified by a trusted
      certification authority "

Wes seemed to be saying that once we have validated the public key, we can use
any securityName we like; you seem to be suggesting that the trust model uses
the SSH local database which is the SSHTM table and the host identity becomes
the securityName.

Where are Alice and Gandalf in this and what is the securityName used in the
ASIs and PDUs?

Please clarify.

Tom Petch

>
> David Harrington
> dbharrington at comcast.net
> ietfdbh at comcast.net
> dharrington at huawei.com
>

_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms

Follow-Ups:
- Re: [Isms] ISMS/SSH and notifications
  - From: David Harrington
- Re: [Isms] ISMS/SSH and notifications
  - From: David Harrington

References:
- [Isms] ISMS/SSH and notifications
  - From: Wes Hardaker
- Re: [Isms] ISMS/SSH and notifications
  - From: David Harrington
- Re: [Isms] ISMS/SSH and notifications
  - From: Pasi.Eronen
- Re: [Isms] ISMS/SSH and notifications
  - From: David Harrington

Prev by Date: Re: [Isms] ISMS/SSH and notifications
Next by Date: Re: [Isms] ISMS/SSH and notifications
Previous by thread: Re: [Isms] ISMS/SSH and notifications
Next by thread: Re: [Isms] ISMS/SSH and notifications
Index(es):
- Date
- Thread

Re: [Isms] ISMS/SSH and notifications

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.