On Wed, 1 Apr 2009 11:16:48 -0500, Kirk Wolf <k...@dovetail.com> wrote:
> >I guess its cool now for IBM security audits to prefer passwords to >certificates, now that z/OS 1.10 TSO supports >8 character passwords ;-) We don't prefer passwords to certificates. Our Common Criteria security evaluation is perfectly happy with using digital certificates, or passwords, or PassTickets, or password phrases. They all have appropriate managment controls built in, via RACF. SSH private/public keys do not have appropriate management controls, however. The Security Administrator can not expire them, nor control their strength, for example. > >Its a pity that RACF (and hw keystores) can't store SSH-style public/private >keys (DSA, RSA) and support sign/check functions, to be exploited by z/OS >SSH. X.509 isn't the only game in town, and the SSH RFC group has some good >rationale against adopting it. I haven't investigated their rationale for not going with X.509, but I would like to see us provide better management of SSH-style public/private keys someday, when that has a high enough priority with both the RACF and Ported Tools SSH teams. > >But z/OS Ported Tools OpenSSH has several weaknesses wrt security - where's >kerberos? where's PAM? Also good questions. I can only assume it's merely a matter of priorities and resources available for development. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
