From owner-freebsd-security  Sun Jan  7 12:50: 4 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP
	id D6BD237B400; Sun,  7 Jan 2001 12:49:44 -0800 (PST)
Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sun, 7 Jan 2001 12:48:01 -0800
Received: (from cjc@localhost)
	by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id f07Kngo51445;
	Sun, 7 Jan 2001 12:49:42 -0800 (PST)
	(envelope-from cjc)
Date: Sun, 7 Jan 2001 12:49:41 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: Robert Watson <rwatson@FreeBSD.ORG>, security@FreeBSD.ORG
Subject: Re: Fw: Re: Antisniffer measures (digest of posts)
Message-ID: <20010107124941.X95729@rfx-64-6-211-149.users.reflexco>
Reply-To: cjclark@alum.mit.edu
References: <E14FFLX-0003ok-00@smtpout.kingston-internet.net> <Pine.NEB.3.96L.1010107111516.27948D-100000@fledge.watson.org> <200101071925.OAA04427@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <200101071925.OAA04427@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Sun, Jan 07, 2001 at 02:25:35PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Jan 07, 2001 at 02:25:35PM -0500, Garrett Wollman wrote:
> <<On Sun, 7 Jan 2001 11:21:16 -0500 (EST), Robert Watson <rwatson@FreeBSD.ORG> said:
> 
> > an SSL telnet does offer something that SSH does not have: the ability to
> > connect to a new host without a manual keying procedure.
> 
> Some people would say that this is a liability.  I've got a number of
> particularly argumentative users here who insist that trusted third
> parties of any kind are fundamentally bad.  While I don't necessarily
> agree, it is true that in any X.509 configuration it is necessary to
> be very careful about which CAs one trusts and for which purposes.
> (For our SSL applications here, we will only trust our own CA, since
> it is the only one capable of authenticating our users.)

And when we are talking about people connecting among their own
machines, we probably will be talking about self-signed certs
anyway. Who is going to pay Verisign or whoever so that an
administrator can connect from his office to the filesever downstairs?
Starting up your own PKI is non-trivial and expensive, and if you get
it wrong, it is all for nothing since it adds no security.

SSL for login sessions does have a niche, but the PKI for SSL can be
overkill just as the complete lack of a PKI within the SSH protocols
can be problematic. For either one, it all comes back to the problems
of cost-effective and secure PKI and where to balance cost and
security for your needs.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message