X.509 support in ssh (revisited)

Ed Phillips ed at UDel.Edu
Thu Jan 24 05:40:26 EST 2002


On Wed, 23 Jan 2002, Markus Friedl wrote:

> Date: Wed, 23 Jan 2002 19:38:53 +0100
> From: Markus Friedl <markus at openbsd.org>
> To: Ed Phillips <ed at UDel.Edu>
> Cc: mouring at etoh.eviladmin.org,
>      Donald van de Weyer <donald at demag.rwth-aachen.de>,
>      Thanos Siaperas <thanus at ccf.auth.gr>, openssh-unix-dev at mindrot.org,
>      secureshell at securityfocus.com
> Subject: Re: X.509 support in ssh (revisited)
>
> On Wed, Jan 23, 2002 at 12:57:24PM -0500, Ed Phillips wrote:
> > On Wed, 23 Jan 2002, Markus Friedl wrote:
> >
> > > Date: Wed, 23 Jan 2002 17:42:46 +0100
> > > From: Markus Friedl <markus at openbsd.org>
> > > To: mouring at etoh.eviladmin.org
> > > Cc: Donald van de Weyer <donald at demag.rwth-aachen.de>,
> > >      Thanos Siaperas <thanus at ccf.auth.gr>, openssh-unix-dev at mindrot.org,
> > >      secureshell at securityfocus.com
> > > Subject: Re: X.509 support in ssh (revisited)
> > >
> > > On Wed, Jan 23, 2002 at 10:31:38AM -0600, mouring at etoh.eviladmin.org wrote:
> > > > Does X.509 really make sense with SSH?  I mean you are still not going to
> > > > get Verisigned licenses and even that you are putting your trust in a 3rd
> > > > party certificate which has no real bearing on the trust of the machine in
> > > > question.
> > >
> > > well it could make hostkey management simpler, but i see
> > > no difference between people clicking on
> > > 	"continue, i don't care about this hostkey"
> >
> > Okay... maybe someone has upgrade OpenSSH on the system and generated a
> > new hostkey.  How can you tell?
> >
> > > and
> > > 	"continue, i don't care about the certificate for this hostkey"
> >
> > The kicker is that if you manage the systems, you shouldn't see this
> > message because the client will know which CA(s) your client should trust
>
> i know, but this is not how i see how people use https, for example.

Hehehe... I agree.  In our environment, we'd make the client refuse to
connect under these circumstances. ;-)

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key




More information about the openssh-unix-dev mailing list