consensus: support for internal CAs is good (X.509 support in ssh)
Peter Watkins
peterw at usa.net
Thu Jan 24 06:31:22 EST 2002
On Wed, Jan 23, 2002 at 01:11:28PM -0600, mouring at etoh.eviladmin.org wrote:
> I have no problems
> with providing companies with the abilities to sign their own keys. It
> is an internal trust (which still can be broken if the guy making the keys
> gets fired and takes a copy of the master key chain with in). But like
> any other major trust system (e-commiercal) it requires user buy in.
I think everyone is in agreement on this. (Whew!)
> BTW.. No I never do what to see a "OpenSSH will blindly accept CA
> certified public keys from the following CAs."
And I haven't heard anyone suggest that it should do so. Anyone who wanted
to give money to Thawte instead of running their own CA setup could
certainly add the root Thawte cert. Their call.
> I don't presume to dictate trust... Which is my whole point here.
> X.509 I have no problems with. Just think for majority of the people it
> would be overkill and added compexity. It is 'Trusted CA' I have an issue
> with.
Perfect. Really, perfect.
-Peter
--
We must all learn to live together as brothers,
or we will all perish as fools. - Dr Martin Luther King, Jr
More information about the openssh-unix-dev
mailing list