Status of opportunistic encryption
James A. Donald
jamesd at echeque.com
Fri Jun 2 05:10:56 EDT 2006
--
James A. Donald:
> > My understanding is that SSH when using GSS KEX does
> > not cache the keys, which strikes me as a amazingly
> > stupid idea,
Victor Duchovni
> No, that's the whole point. What works for the
> individual administering 10 machines, does not scale
> to organizations with hundres of administrators
> managing tens of thousands of machines. With KEX you
> trust Kerberos, not your key store.
In an organization with hundreds of administrators
managing tens of thousand of machines, what goes wrong
with trusting your key store? And who administers
Kerberos? Don't they have a problem with tens of
thousands of machines?
> Workable DNS-SEC exists, what lacks now is the will
> and political muscle to make it happen.
I was unaware of this. So I googled for DNSSEC. Reading
the DNSSEC documents I found
: : "In order to support the larger DNS message
: : sizes that result from adding the DNSSEC RRs,
: : DNSSEC also requires EDNS0 support ([RFC
: : 671]). "
and
: : "its authentication keys can be authenticated
: : by some trusted means out of band from the
: : DNS protocol."
This does not sound workable to me.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
N8PPaaHAyVJ5X84mwrNura/s/6xoxBy1I4SsvYnN
4dTYtTbKIKIX2zUmbNeTi6z5NYSRZW+LcplUU9tST
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list