[27116] in cryptography@c2.net mail archive
Re: Status of opportunistic encryption
daemon@ATHENA.MIT.EDU (James A. Donald)
Fri Jun 2 20:45:08 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 02 Jun 2006 19:10:56 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
In-Reply-To: <20060531014519.GO19534@piias899.ms.com>
--
James A. Donald:
> > My understanding is that SSH when using GSS KEX does
> > not cache the keys, which strikes me as a amazingly
> > stupid idea,
Victor Duchovni
> No, that's the whole point. What works for the
> individual administering 10 machines, does not scale
> to organizations with hundres of administrators
> managing tens of thousands of machines. With KEX you
> trust Kerberos, not your key store.
In an organization with hundreds of administrators
managing tens of thousand of machines, what goes wrong
with trusting your key store? And who administers
Kerberos? Don't they have a problem with tens of
thousands of machines?
> Workable DNS-SEC exists, what lacks now is the will
> and political muscle to make it happen.
I was unaware of this. So I googled for DNSSEC. Reading
the DNSSEC documents I found
: : "In order to support the larger DNS message
: : sizes that result from adding the DNSSEC RRs,
: : DNSSEC also requires EDNS0 support ([RFC
: : 671]). "
and
: : "its authentication keys can be authenticated
: : by some trusted means out of band from the
: : DNS protocol."
This does not sound workable to me.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
N8PPaaHAyVJ5X84mwrNura/s/6xoxBy1I4SsvYnN
4dTYtTbKIKIX2zUmbNeTi6z5NYSRZW+LcplUU9tST
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
