Suggestion: Deprecate SSH certificates and move to X.509 certificates
Konrad Bucheli
kb at open.ch
Mon May 28 19:42:16 AEST 2018
Here you have a second person. We heavily depend on them and they are
way easier to manage than X.509 certificates.
On 25.05.2018 06:26, Yegor Ievlev wrote:
> That's not a very good source, since it's only available to one person.
>
> On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote:
>> On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote:
>>> How can I revoke one SSH certificate without having to replace the
>>> root certificate and all certificates signed by it?
>>
>> there is no chaining of ssh certificates.
>>
>>> Regarding the second statement, do you have sources?
>>
>> yes. my day job.
>>
>>> On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote:
>>>> On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote:
>>>>
>>>>> SSH certificates provide no
>>>>> way to revoke compromised certificates,
>>>>
>>>> this isn't true
>>>>
>>>>> and SSH certificates haven't seen significant adoption,
>>>>
>>>> this also isn't true.
>>>>
>>>> enterprises love ssh certificates.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
konrad bucheli
principal engineer
open systems ag
raeffelstrasse 29
ch-8045 zurich
t: +41 58 100 10 10
f: +41 58 100 10 11
kb at open.ch
http://www.open.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4238 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180528/54d0510c/attachment.p7s>
More information about the openssh-unix-dev
mailing list