Re: [Isms] wg last call followup - sshtm

["David Harrington" <ietfdbh at comcast.net>]

Alright, let me write up some introductory text that describes this.
IIRC, I think I already edited the EOP to reflect this, based on Wes's
comments.

dbh

> -----Original Message-----
> From: Jeffrey Hutzelman [mailto:jhutz at cmu.edu] 
> Sent: Monday, March 02, 2009 1:26 PM
> To: David Harrington; 'tom.petch'; 'Juergen Schoenwaelder'; 
> isms at ietf.org
> Cc: jhutz at cmu.edu
> Subject: Re: [Isms] wg last call followup - sshtm
> 
> --On Sunday, March 01, 2009 09:17:06 PM -0500 David Harrington 
> <ietfdbh at comcast.net> wrote:
> 
> > Hi,
> >
> > I have the same concerns. I feel very uneasy about this.
> >
> > I think that the way to resolve it is to have sshtm record the
> > SnmpSSHAddress and the tmSecurityName for outgoing 
> messages, and match
> > them up to incoming messages. If the principal identity matches
the
> > user part of an SnmpSSHAddress in email format, and that is 
> different
> > than the tmSecurityName used with that transport adddress for the
> > outgoing message, then use the tmSecurityName that was used for
the
> > corresponding outgoing message.
> >
> > If we send the message to "bob at remote.org", then I presume the
> > response will come back from "bob" at remote.com's address.
> 
> NONONO.  If we send the message to "bob at remote.org", then we 
> are sending 
> the message to the host remote.org, and using "bob" as _our_ 
> SSH username 
> for use in authenticating to that host.  It is _not_ an email 
> address, and 
> "bob" is not the name of the agent we're sending to.  It is 
> the name the 
> agent we're sending to (actually, the SSH server we're 
> connecting to) uses 
> to describe _us_.
> 
> If we send a message...
> 
> ... the response will come back _over the same ssh session_.
Period.
> We don't get a response back from a particular IP address or 
> hostname or 
> user.  We get a response back over the channel _we_ opened.  This is

> exactly what tmSameSecurity is fore.
>