key rotation on ssh servers

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed May 15 15:55:22 EST 2013


On 05/15/2013 01:38 AM, Daniel Kahn Gillmor wrote:

> this sounds like it is similar to (but simpler than) the TACK proposal
> currently under consideration for TLS [0].  I wonder if any of the
> additional semantics considered for TACK would be useful for this sort
> of extension for SSH.  certainly the form you're proposing has the
> advantage of simplicity :)

oh, i guess one more question, sorry:

One of the goals of a key exchange is to permit future authentications
with a new key.

Looking even further down the road, you'd also want to *prevent* future
authentications with an old key.

That is, if the process never removes the old key from the client's
~/.ssh/known_hosts file, then it doesn't really protect the client
against a key compromise of the old key in the long run.

So do you think the semantics of the proposed SSH_MSG_HOSTKEYS message
should include "please invalidate all host keys not listed here"?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130515/3c7d304b/attachment.bin>


More information about the openssh-unix-dev mailing list