X.509 support in ssh (revisited)

Anne Carasik gator at cacr.caltech.edu
Thu Jan 24 06:56:40 EST 2002


On Wed, Jan 23, 2002 at 11:24:01AM -0800, Rex Buddenberg wrote:
> >I think so. Having all your hostkeys signed by a central authority (like
> >an OpenSSL generated key) should be fine. There's no reason you have to
> >pay a Certificate Authority to do it.
> If this is the limit of scope to your application, by all means keep it simple.

From what I've seen, most implementations can't handle cross-certification anyway.

> Scope limitation: you can do this for secure comms but only for the 
> accounts you manage -- your students, faculty and staff.  It won't 
> work for your supply department trying to buy copier toner from an 
> outside vendor because that vendor won't be on the same key tree.

Hope you find what you're looking for (sounds like cross-certification 
to me).

-Anne
-- 
              .-"".__."``".   Anne Carasik, sysadmin, gator at cacr.caltech.edu
 .-.--. _...' (/)   (/)   ``'      Don't insult the alligator till after you
(O/ O) \-'      ` -="""=.    ',                  cross the river. -unknown 
~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020123/7eb879c1/attachment.bin 


More information about the openssh-unix-dev mailing list