clarify error messages and documentation when using signed public keys

Brian Candler b.candler at
Mon Sep 21 05:48:39 AEST 2020

On 20/09/2020 18:56, Christopher J. Ruwe wrote:
> "In an otherwise normal public/private key pair exchange, clients or
> servers may then trust any public key, provided it has been signed by
> a trusted CA, and verify it's [sic] signature on the certificate of the CA,

There is no signature "on the certificate of the CA", because unlike 
X509, the SSH CA doesn't have a self-signed certificate - just a 
public/private key pair.

The signature is *on* the user (or host) certificate, and this signature 
is made *by* the CA.  You can verify the signature using the public key 
of the CA.

More information about the openssh-unix-dev mailing list