X.509 support in ssh (revisited)

Dan Kaminsky dan at doxpara.com
Thu Jan 24 10:11:53 EST 2002


>i know, but this is not how i see how people use https, for example.

I must admit, despite my visceral reaction toSSL's honestly embarassing lack
of forward secrecy(sniff all you want, we'll keep the decryption key handy
for your convenience), it'd actually be nice if we could integrate OpenSSH
keys directly with Verisign/Thawte/whoever.  As far as they'd know, we'd
just be another "web server".

Of course, we'd actually do it right, signing the short term encryption key
with the long term identity key, but that'd be internal to our
implementation.

This actually would be a win -- especially since it would work out of the
box on any server that already had an SSL key set up correctly.

--Dan





More information about the openssh-unix-dev mailing list