X.509 support in ssh (revisited)
Markus Friedl
markus at openbsd.org
Thu Jan 24 05:38:53 EST 2002
On Wed, Jan 23, 2002 at 12:57:24PM -0500, Ed Phillips wrote:
> On Wed, 23 Jan 2002, Markus Friedl wrote:
>
> > Date: Wed, 23 Jan 2002 17:42:46 +0100
> > From: Markus Friedl <markus at openbsd.org>
> > To: mouring at etoh.eviladmin.org
> > Cc: Donald van de Weyer <donald at demag.rwth-aachen.de>,
> > Thanos Siaperas <thanus at ccf.auth.gr>, openssh-unix-dev at mindrot.org,
> > secureshell at securityfocus.com
> > Subject: Re: X.509 support in ssh (revisited)
> >
> > On Wed, Jan 23, 2002 at 10:31:38AM -0600, mouring at etoh.eviladmin.org wrote:
> > > Does X.509 really make sense with SSH? I mean you are still not going to
> > > get Verisigned licenses and even that you are putting your trust in a 3rd
> > > party certificate which has no real bearing on the trust of the machine in
> > > question.
> >
> > well it could make hostkey management simpler, but i see
> > no difference between people clicking on
> > "continue, i don't care about this hostkey"
>
> Okay... maybe someone has upgrade OpenSSH on the system and generated a
> new hostkey. How can you tell?
>
> > and
> > "continue, i don't care about the certificate for this hostkey"
>
> The kicker is that if you manage the systems, you shouldn't see this
> message because the client will know which CA(s) your client should trust
i know, but this is not how i see how people use https, for example.
-m
More information about the openssh-unix-dev
mailing list