AllowHosts / DenyHosts

Damien Miller djm at mindrot.org
Thu Mar 1 23:24:25 EST 2001


On Thu, 1 Mar 2001, Dan Kaminsky wrote:

> > keynote is not about certificates, it's about policy.
>
> Looked like a way of putting policies into a certificate style
> syntax.  My point is that there's a pretty high barrier to using
> certificates, which has made them fail spectacularly.  Adopting
> their syntax, when it's not:
>
> A) Brain Dead Simple

Keynote is about as simple as it can be, for the job it does. It's syntax
is nothing like X.509, unless you are using X.509 certificates with it.

> B) XMLish

yuk. Of the many things that XML is useful for, expressing human-readable
security policy is not one of them.

> ...doesn't really seem like it'll gain alot of followers.  I mean, I
> thoroughly grant you that I haven't examined Keynote nearly enough
> to dismiss it, and honestly am interested in what you think SSH
> would get out what might be a very significant amount of code.

Keynote is pretty compact. It offers administrators and users the
ability to define and delegate policy in a general and powerful
manner. OpenBSD uses it pretty heavily to good effect, in their
Kerberos and isakmpd implementations.

Do investigate it further - I think that you will be suprised by how
general and flexible it is.

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer






More information about the openssh-unix-dev mailing list