On Fri, 2010-08-06 at 11:29 -0500, Steve Bonneville wrote: > i.grok@xxxxxxxxxxx wrote: > > Ideally (from this perspective), the host would validate the response itself. > > Exactly, if sshd is sufficiently paranoid it should make a query with > CD set in the request and do all the validation client-side. If you let > your nameserver do the validation, I think it's still possible to MITM > this by messing with the communication between the stub resolver and the > name server, which isn't secured. Not to mention that one has to trust one's own nameserver, which is a bad idea when using a public wireless access point. In order to achieve the same security properties as SSL/TLS as commonly practiced, local validation is the way to go. -- Matt -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
