X.509 support in ssh (revisited)

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Thu Jan 24 05:07:28 EST 2002 

On Wed, 23 Jan 2002, Ed Phillips wrote:

> On Wed, 23 Jan 2002, Markus Friedl wrote:
>
> > Date: Wed, 23 Jan 2002 17:42:46 +0100
> > From: Markus Friedl <markus at openbsd.org>
> > To: mouring at etoh.eviladmin.org
> > Cc: Donald van de Weyer <donald at demag.rwth-aachen.de>,
> >      Thanos Siaperas <thanus at ccf.auth.gr>, openssh-unix-dev at mindrot.org,
> >      secureshell at securityfocus.com
> > Subject: Re: X.509 support in ssh (revisited)
> >
> > On Wed, Jan 23, 2002 at 10:31:38AM -0600, mouring at etoh.eviladmin.org wrote:
> > > Does X.509 really make sense with SSH?  I mean you are still not going to
> > > get Verisigned licenses and even that you are putting your trust in a 3rd
> > > party certificate which has no real bearing on the trust of the machine in
> > > question.
> >
> > well it could make hostkey management simpler, but i see
> > no difference between people clicking on
> > 	"continue, i don't care about this hostkey"
>
> Okay... maybe someone has upgrade OpenSSH on the system and generated a
> new hostkey.  How can you tell?
>
> > and
> > 	"continue, i don't care about the certificate for this hostkey"
>
> The kicker is that if you manage the systems, you shouldn't see this
> message because the client will know which CA(s) your client should trust
> in on certs for sshd servers you want to connect to.  If you see this
> message when certs are in play, then something is likely wrong.
>
> I would think that the benefit here is that if your client is configured
> to trust only certain signers, then Joe Hacker can't play
> man-in-the-middle during the "should I accept this hostkey" question,
> because Joe Hacker shouldn't have the private key for the CA you trust.
>
> Isn't that an improvement?
>

Until your CA's employees do something brain dead like hand out a copy of
your key to someone who 'claims' to be an employee of your company.

Refer to Micorosft and Versign issue last year which caused MS to resign a
ton of packages and revoke a very heavily used key.

Think warm fuzzy thoughts that your CA is trustworthy. =)

- Ben

More information about the openssh-unix-dev mailing list