X.509 support in ssh (revisited)

[Peter Watkins]

On Wed, Jan 23, 2002 at 05:42:46PM +0100, Markus Friedl wrote:
> On Wed, Jan 23, 2002 at 10:31:38AM -0600, mouring at etoh.eviladmin.org wrote:
> > Does X.509 really make sense with SSH?  I mean you are still not going to
> > get Verisigned licenses and even that you are putting your trust in a 3rd
> > party certificate which has no real bearing on the trust of the machine in
> > question.

A 3rd party CA can at least give the user confidence that the server is
owned by the folks who own the domain name, and that is a *LOT* better than
the current behavior. Some sort of CA/cert setup definitely makes sense, IMO.

> well it could make hostkey management simpler, but i see
> no difference between people clicking on
> 	"continue, i don't care about this hostkey"
> and
> 	"continue, i don't care about the certificate for this hostkey"

Many of us get OpenSSH from the companies and organizations that build our 
operating environments (Sun, Red Hat, Debian, etc.). These entities could 
distribute OpenSSH clients that behave like https Web browsers -- include
a set of known/trusted CA keys, and make ssh_config such that users must
do something extra to accept an unsigned key, an expired cert, or a cert 
from an untrusted CA -- much like Web browsers do. Orgaizations could set up 
their own CA's and CRLs, and would only need to distribute the CA cert with 
the client setups -- an easy, one-time setup. Much more manageable than 
distributing N host keys to M known hosts files, and updating those M files.

-Peter
-- 
We must all learn to live together as brothers,
or we will all perish as fools. - Dr Martin Luther King, Jr