HostKey Management

Daniel Kahn Gillmor dkg at
Thu Jan 17 12:06:23 EST 2013

On 01/16/2013 10:40 AM, Mike Kelly wrote:
> 1) Is there some other option that I'm missing above?

The monkeysphere is another option:

The monkeysphere wraps your host key in an OpenPGP certificate, which
allows you (and anyone) to certify the key's association with a given
host;  it also allows anyone to verify those certifications directly.
For servers that the general public interacts with (e.g. pair's shared
servers) this is could useful even beyond the in-house utility of known
key distribution.

The only human interactions needed would be to supply some credential to
grant access to the certifying key when a machine is newly created (if
you have an automated installation mechanism, this could be included

The monkeysphere also allows you to take care of revocations using
standard OpenPGP revocation mechanisms, and to distribute those
revocations via the same OpenPGP keyserver network that is already in use.

If you don't want the keys public, you can also distribute them via a
private keyserver (or a private keyserver network), which is pretty
straightforward to install.



PS if it's not clear, i'm a contributor to the monkeysphere project.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssh-unix-dev mailing list