Suggestion: Deprecate SSH certificates and move to X.509 certificates

Yegor Ievlev koops1997 at gmail.com
Fri May 25 15:03:05 AEST 2018


I did not consciously attempt to be combative. However your perception
may be different.

On Fri, May 25, 2018 at 7:58 AM, Jim Knoble <jmknoble at pobox.com> wrote:
> You're coming across as rather combative, demandind sources to support others' comments, when you yourself have provided no evidence to support your own claims. Perhaps you want to rethink your approach.
>
> That said, I know of an enterprise with 50,000 employees worldwide who relies on OpenSSH certificates to securely authenticate across bastions into virtual private clouds. I'm pretty sure Peter doesn't work there, as I would know it. That makes two data points to support his statement.
>
> --
> jim knoble
>
>
>> On May 24, 2018, at 21:26, Yegor Ievlev <koops1997 at gmail.com> wrote:
>>
>> That's not a very good source, since it's only available to one person.
>>
>>> On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote:
>>>> On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote:
>>>> How can I revoke one SSH certificate without having to replace the
>>>> root certificate and all certificates signed by it?
>>>
>>> there is no chaining of ssh certificates.
>>>
>>>> Regarding the second statement, do you have sources?
>>>
>>> yes. my day job.
>>>
>>>>> On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote:
>>>>>> On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote:
>>>>>>
>>>>>> SSH certificates provide no
>>>>>> way to revoke compromised certificates,
>>>>>
>>>>> this isn't true
>>>>>
>>>>>> and SSH certificates haven't seen significant adoption,
>>>>>
>>>>> this also isn't true.
>>>>>
>>>>> enterprises love ssh certificates.
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list