X.509 support in ssh (revisited)
Anne Carasik
gator at cacr.caltech.edu
Thu Jan 24 06:56:40 EST 2002
On Wed, Jan 23, 2002 at 11:24:01AM -0800, Rex Buddenberg wrote:
> >I think so. Having all your hostkeys signed by a central authority (like
> >an OpenSSL generated key) should be fine. There's no reason you have to
> >pay a Certificate Authority to do it.
> If this is the limit of scope to your application, by all means keep it simple.
From what I've seen, most implementations can't handle cross-certification anyway.
> Scope limitation: you can do this for secure comms but only for the
> accounts you manage -- your students, faculty and staff. It won't
> work for your supply department trying to buy copier toner from an
> outside vendor because that vendor won't be on the same key tree.
Hope you find what you're looking for (sounds like cross-certification
to me).
-Anne
--
.-"".__."``". Anne Carasik, sysadmin, gator at cacr.caltech.edu
.-.--. _...' (/) (/) ``' Don't insult the alligator till after you
(O/ O) \-' ` -="""=. ', cross the river. -unknown
~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020123/7eb879c1/attachment.bin
More information about the openssh-unix-dev
mailing list