X.509 support in ssh (revisited)

Peter Watkins peterw at usa.net
Thu Jan 24 05:21:25 EST 2002


On Wed, Jan 23, 2002 at 12:03:35PM -0600, mouring at etoh.eviladmin.org wrote:
> On Wed, 23 Jan 2002, Peter Watkins wrote:

> > A 3rd party CA can at least give the user confidence that the server is
> > owned by the folks who own the domain name, and that is a *LOT* better than
> > the current behavior. Some sort of CA/cert setup definitely makes sense, IMO.

> > Orgaizations could set up
> > their own CA's and CRLs, and would only need to distribute the CA cert with
> > the client setups -- an easy, one-time setup. Much more manageable than
> > distributing N host keys to M known hosts files, and updating those M files.

> What an utter joke.  CAs give you warm fuzzy feelings.  Not much more.

Without CAs, Internet commerce (business-to-consumer) simply could not 
happen. That's not a joke, it's reality. Do certs solve all problems? No.
Are they perfect? No. Are they better than the current status quo? Many
of us believe they would be. While you might not choose to use a cert,
and might (arguably very reasonably) *never* want the official OpenSSH 
package, even "portable", to include any "trusted" CA certs, I think adding 
cert support would be appreciated by many of the rest of us. No joke.

> As I said.. from a trust view.. it is a total and utter joke.

I'd argue the current system of key "management" is an utter joke. Comparing
OpenSSH to https is like comparing /etc/hosts to DNS. From a trust view, DNS
is a joke, right? Now raise your hand if you want to go back to the days of
distributing and managing local host lookup tables.

-Peter
-- 
We must all learn to live together as brothers,
or we will all perish as fools. - Dr Martin Luther King, Jr



More information about the openssh-unix-dev mailing list