Subject: Re: ssh, secure telnet, etc.
To: Dan Riley <firstname.lastname@example.org>
From: RJ Atkinson <email@example.com>
Date: 12/21/2000 15:32:22
At 15:27 21/12/00, Dan Riley wrote:
> You have
>to judge the protocols on their actual merits (which in the case of
>secure telnet means reading rfcs 2941 - 2953, especially rfc2941 and
>rfc2946), rather than the perceived merits of their parentage.
That is all fine, well, and good.
I'd suggest, however, based on watching a number of folks
do curious things with their implementations of other RFCs,
that in the security arena, it is particularly prudent to examine
the particular source code for the implementation one is using --
in addition to evaluating the theoretical protocol described
in the RFC(s). I've been startled by how many "security"
implementations (of arbitrary protocols in arbitrary RFCs or
other specs) contain computationally-expensive crypto without
providing meaningful security properties to the user(s).