On Fri, Aug 25, 2006 at 06:25:11PM +0100, Aine Douglas wrote:
> On 8/25/06, Badger <badger at scattermail.com> wrote:
> >I agree with what Colm Mac Carthaigh said in the alternate reply
> >to your post Aine, but I just wanted to drill down on some of the
> >other points:
>> What Colm said was that anyone could implement their own tool using
> the PKCS standards, break the standard and make it do something
> entirely different.
No, thats not quite what I'm saying, You're missing the broader, more
profound, point. The security you are talking about with the ROS is
merely that you're only allowed use one tool which has its own password
policy enforcement. There is no inherent PKI or crypto magic going
on which actually enforces this.
The real point is that this wouldn't work with ssh, and the notion that
it possibly could can only be founded in ignorance. There are already
widely deployed SSH clients which will allow to use PEM, DSA, RSA, BLOB,
an agent daemon, and a range of other keystores.
Even if it an SSH client were implemented which enforced the password
HMAC scheme for PKCS12, there would be no beenfit, because one of the
other keystores could be used anyway. That's not implementing their
own tool, or "hacking", or it's using the default behaviour of the tool.
Another problem is that as SSH is a widely deployed standardised
protocol it wouldn't take very long before a version of the client was
available which ommitted this annoyance of a "feature" for users. Users
like being able to encrypt their keys with arbitrary passwords.
> I could re-write a webserver and make it a mailserver.
I've done both, Apache httpd and bits of mod_smtpd. Guess I'm a hacker
> could rewrite a telnet tool and make it talk SSH.
Hmmm, helped do that too, I think I'm still in the credits file for
> You could turn a road into a canal if you build walls and add tanking.
Now *that* sounds like a challenge, and I am moving to the Netherlands
Colm MacCárthaigh Public Key: colm+pgp at stdlib.net
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!