X.509 support in ssh (revisited)
Anne Carasik
gator at cacr.caltech.edu
Thu Jan 24 05:49:19 EST 2002
On Wed, Jan 23, 2002 at 01:32:01PM -0500, Ed Phillips wrote:
> I wasn't the one talking about a CA "service" like Thawte or Verisign - I
> was talking about a home-brew CA used just to sign OpenSSH hostkeys and
> verify them so that it can all be automated. I only need to protect the
> home-brew-CA private key. That is workable in my environment, and the
> reward seems worth the effort. Anyone else think it would be worth it?
I think so. Having all your hostkeys signed by a central authority (like
an OpenSSL generated key) should be fine. There's no reason you have to
pay a Certificate Authority to do it.
You could do something like GnuPG and sign all the keys by a single key
(treating it like a CA), if OpenSSH can have a hook to use GnuPG keys.
> > Refer to Micorosft and Versign issue last year which caused MS to resign a
> > ton of packages and revoke a very heavily used key.
> If you trust them, then you're in for a world of hurt in these situations.
No kidding. I'd prefer to run my own CA and sign the keys that way. As a
university employee, we look for solutions that are very cost-effective
(especially if they don't cost anything :).
That's what OpenSSL is for. You can make your own certs. :)
> > Think warm fuzzy thoughts that your CA is trustworthy. =)
> Yes... it's nice isn't it? ;-P
*shiver*
-Anne
--
.-"".__."``". Anne Carasik, sysadmin, gator at cacr.caltech.edu
.-.--. _...' (/) (/) ``' Don't insult the alligator till after you
(O/ O) \-' ` -="""=. ', cross the river. -unknown
~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020123/5c8c50aa/attachment.bin
More information about the openssh-unix-dev
mailing list