On Sun, 2010-08-08 at 11:34 -0700, Matt McCutchen wrote: > On Fri, 2010-08-06 at 11:29 -0500, Steve Bonneville wrote: > > i.grok@xxxxxxxxxxx wrote: > > > Ideally (from this perspective), the host would validate the response itself. > > > > Exactly, if sshd is sufficiently paranoid it should make a query with > > CD set in the request and do all the validation client-side. If you let > > your nameserver do the validation, I think it's still possible to MITM > > this by messing with the communication between the stub resolver and the > > name server, which isn't secured. > > Not to mention that one has to trust one's own nameserver, which is a > bad idea when using a public wireless access point. In order to achieve I believe that can be simplified to 'using a public wireless access point is a bad idea' =) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
