X.509 support in ssh (revisited)

Thu Jan 24 06:11:28 EST 2002

On Wed, 23 Jan 2002, Peter Watkins wrote:

> On Wed, Jan 23, 2002 at 12:03:35PM -0600, mouring at etoh.eviladmin.org wrote:
> > On Wed, 23 Jan 2002, Peter Watkins wrote:
>
> > > A 3rd party CA can at least give the user confidence that the server is
> > > owned by the folks who own the domain name, and that is a *LOT* better than
> > > the current behavior. Some sort of CA/cert setup definitely makes sense, IMO.
>
> > > Orgaizations could set up
> > > their own CA's and CRLs, and would only need to distribute the CA cert with
> > > the client setups -- an easy, one-time setup. Much more manageable than
> > > distributing N host keys to M known hosts files, and updating those M files.
>
> > What an utter joke.  CAs give you warm fuzzy feelings.  Not much more.
>
> Without CAs, Internet commerce (business-to-consumer) simply could not
> happen. That's not a joke, it's reality. Do certs solve all problems? No.
> Are they perfect? No. Are they better than the current status quo? Many
> of us believe they would be. While you might not choose to use a cert,
> and might (arguably very reasonably) *never* want the official OpenSSH
> package, even "portable", to include any "trusted" CA certs, I think adding
> cert support would be appreciated by many of the rest of us. No joke.
>
Pssss.. Give ya a hint.. 'eCommerical' was happening before SSL and CA
certifications.  It was called "Find what you want on online catalogy and
call their voice number."

So don't feel that line.  If CAs did not exist another method (better or
worse would not be known) would appear.  CAs appeared because https (and
SSL in a lot of respects) lends itself to that style.

> > As I said.. from a trust view.. it is a total and utter joke.
>
> I'd argue the current system of key "management" is an utter joke. Comparing
> OpenSSH to https is like comparing /etc/hosts to DNS. From a trust view, DNS
> is a joke, right? Now raise your hand if you want to go back to the days of
> distributing and managing local host lookup tables.
>

Great.. Routers can not be trusted.. Lets just live in our own little
isolated LANs.. Wait!  You can't trust your lan.. someone in your house
could be listening in!!!  Phhhff.. LAME retort.

CAs only work if you have an trust established.  Yet another trust to
worry about and yet another trust that can be broken.  I have no problems
with providing companies with the abilities to sign their own keys.  It
is an internal trust (which still can be broken if the guy making the keys
gets fired and takes a copy of the master key chain with in).  But like
any other major trust system (e-commiercal) it requires user buy in.

BTW.. No I never do what to see a "OpenSSH will blindly accept CA
certified public keys from the following CAs."  Why?  Simple.. *WHAT*
right does Theo, Markus, Damien, or even myself have to tell the
end user "Who should be trusted"?  Theo may feel "Foo Signers" is
trustworty, I may fell they are a POS operation out to make money and are
careless with their key generation.  Who is right?

I don't presume to dictate trust... Which is my whole point here.  And
what Microsoft, Netscape, Opera, etc do as part of their core business.
They dictate who they feel is trustworthy and then shove that trust
in everyone's face.  Which IMNSHO is wrong.

X.509 I have no problems with.  Just think for majority of the people it
would be overkill and added compexity.  It is 'Trusted CA' I have an issue
with.

 - Ben