[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Network security manager
From: |
Toke Høiland-Jørgensen |
Subject: |
Re: Network security manager |
Date: |
Tue, 18 Nov 2014 23:09:38 +0100 |
Lars Magne Ingebrigtsen <address@hidden> writes:
> On the other hand, we could store the server names in plain text when
> we store security exceptions to make reviews easier. That is, keep the
> hash-only thing for STARTTLS man-in-the-middle tracking and the like,
> but if the user registers an exception, then we'd stash the server
> name in there, too.
Would it make sense to have a hostname-based setting for credentials
storage? I.e. similar to how gnutls-verify-error is currently a hostname
match, I might want to set nsm-security-level per hostname. For
instance, I'd like to have 'paranoid' security for the services I
provide credentials to (most notably my mail server), but would probably
not mind keeping random TLS servers I may happen to download an image
from out of my certificate list file.
> This would avoid leaving a complete list of STARTTLS servers in that
> file, but still allow easy removal of specific exceptions.
OpenSSH has the 'HashKnownHosts' configuration parameter which
determines whether hostnames should be hashed in the trust store
(similar to what you are doing). I tend to turn it off to be able to
find things...
-Toke
- Re: Network security manager, (continued)
- Re: Network security manager, Eli Zaretskii, 2014/11/18
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Message not available
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager,
Toke Høiland-Jørgensen <=
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Re: Network security manager, Toke Høiland-Jørgensen, 2014/11/19
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/19
- Re: Network security manager, Ted Zlatanov, 2014/11/19
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/19
- Re: Network security manager, Ted Zlatanov, 2014/11/19
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/19
- Re: Network security manager, Ted Zlatanov, 2014/11/19
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/19
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/19