Suggestion: Deprecate SSH certificates and move to X.509 certificates

Yegor Ievlev koops1997 at gmail.com
Fri May 25 13:36:45 AEST 2018


I suggest deprecating proprietary SSH certificates and move to X.509
certificates. The reasons why I suggest this change are: X.509
certificates are the standard on the web, SSH certificates provide no
way to revoke compromised certificates, and SSH certificates haven't
seen significant adoption, It's also a bad idea to roll your own
crypto, and own certificate format seems like an example of this. I
request comments on this proposal, and suggest that X.509 certificates
should be supported even if SSH certificates will be left in, since
that will solve the problem of authenticating a previously unknown
server using the same mechanism most of the web is using.


More information about the openssh-unix-dev mailing list