[bind10-dev] BigTool and new module Command/Control

[Shane Kerr]

Likun,

On Thu, 2009-11-19 at 22:29 +0800, ZhangLikun wrote:
> >seems ok to me (for now? would administrators want some kind of certificate
> with
> >asymm crypto here?)
> 
> I don't know, seems Michael or Shane mentioned it in the f2f meeting. But
> maybe administrators always say YES! 

I'd rather use SSL than invent our own technology.

It is quite easy to set up an SSL session with Python:

http://docs.python.org/3.1/library/ssl.html

If we want, we can rely on opportunistic authentication, like SSH does.

That means, after we connect we would use the getpeercert() method to
get the certificate, and if there was no certificate for the server we
would prompt the user if they wanted to accept it and possibly save it
for future connections. If we already have a certificate, we check that
it matches.

One the connection is safely encrypted, we can use simple user
name/password for client authentication. We can also easily support
client-side certificates, so we should probably do that.

We may wish to investigate Kerberos authentication at some point, but I
don't think it is critical.

--
Shane