Suggestion: Deprecate SSH certificates and move to X.509 certificates

Michael Ströder michael at
Sat May 26 00:21:00 AEST 2018

Yegor Ievlev wrote:
> Can you tell what problem with SSH certificate revocation does
> software you wrote for Uber solve?

Most implementations simply issue short-term certs for freshly generated
key pairs only valid for a few hours. With automatic loading of cert/key
into ssh-agent you also prevent insecure storage of the private keys.

Detecting a security issue and reliably rolling out revocation lists on
tens thousands of machines likely takes longer than this validity period.

There are already several implementations you can find on github and
elsewhere. I've also implemented such a service for a customer recently.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the openssh-unix-dev mailing list