X.509 support in ssh (revisited)

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Thu Jan 24 05:03:35 EST 2002


On Wed, 23 Jan 2002, Peter Watkins wrote:

> On Wed, Jan 23, 2002 at 05:42:46PM +0100, Markus Friedl wrote:
> > On Wed, Jan 23, 2002 at 10:31:38AM -0600, mouring at etoh.eviladmin.org wrote:
> > > Does X.509 really make sense with SSH?  I mean you are still not going to
> > > get Verisigned licenses and even that you are putting your trust in a 3rd
> > > party certificate which has no real bearing on the trust of the machine in
> > > question.
>
> A 3rd party CA can at least give the user confidence that the server is
> owned by the folks who own the domain name, and that is a *LOT* better than
> the current behavior. Some sort of CA/cert setup definitely makes sense, IMO.
>
> > well it could make hostkey management simpler, but i see
> > no difference between people clicking on
> > 	"continue, i don't care about this hostkey"
> > and
> > 	"continue, i don't care about the certificate for this hostkey"
>
> Many of us get OpenSSH from the companies and organizations that build our
> operating environments (Sun, Red Hat, Debian, etc.). These entities could
> distribute OpenSSH clients that behave like https Web browsers -- include
> a set of known/trusted CA keys, and make ssh_config such that users must
> do something extra to accept an unsigned key, an expired cert, or a cert
> from an untrusted CA -- much like Web browsers do. Orgaizations could set up
> their own CA's and CRLs, and would only need to distribute the CA cert with
> the client setups -- an easy, one-time setup. Much more manageable than
> distributing N host keys to M known hosts files, and updating those M files.
>

What an utter joke.  CAs give you warm fuzzy feelings.  Not much more.
Just because some CAs 'claims' to have signed a key does not mean much
(Refer to the forged signatures of Microsoft due to a stupid Versign
employee that happened last year).

This has been heavily discussed in alot of security groups.  It was a very
hot topic when Microsoft did not include a lot of the smaller CAs vendors
that appeared and people started complaining about being prompted for such
verifications when they dished out money for a 'trusted CA'.

As I said.. from a trust view.. it is a total and utter joke.

- Ben




More information about the openssh-unix-dev mailing list