[Dundi] Looking Glass
Mark Spencer
markster at digium.com
Sun Oct 31 10:11:51 CST 2004
Without requiring SSL to protect the md5 secret being transmitted, an
observer on the wire could then snoop the md5 secret and use it to gain
access to the system after the fact unless the number which was presented
for authentication changed each time and the same number was not repeated
within the cache time. Further, without SSL, whatever information is
transmitted would then be visible to anyone on the wire.
Basically SSL provides an additional layer of security which is fairly
simple to setup and seems pretty worth it :)
Mark
On Sat, 30 Oct 2004, Joe Abley wrote:
>
> On 30 Oct 2004, at 18:18, Mark Spencer wrote:
>
>>> If a person was able to look up a number i publish into the peering
>>> network, would that not be enough evidence they have executed the GPA. I
>>> see no other way they could get ahold of the current rotating key
>>> without a GPA in place with some member.
>>
>> After discussion with Ed, we propose the following authentication method
>> which we believe would likely be in line with the letter and spirit of the
>> GPA:
>>
>> Require the user to send a password over SSL which is the md5sum of the
>> answer to a particular query for a number. By requiring the answer to a
>> specific number, with rotating secret, served by the authenticating party,
>> they are proving that the party requesting access is a member of the Trust
>> Group. Further, by sending the md5sum, the party requesting access is not
>> in violating the GPA by transmiting route information.
>
> Why require SSL?
>
>
> Joe
>
> _______________________________________________
> Dundi mailing list
> Dundi at lists.digium.com
> http://lists.digium.com/mailman/listinfo/dundi
>
More information about the Dundi
mailing list