3rd party vs internal CAs (X.509 support in ssh)

[Peter Watkins]

On Wed, Jan 23, 2002 at 01:32:01PM -0500, Ed Phillips wrote:

> I wasn't the one talking about a CA "service" like Thawte or Verisign - I
> was talking about a home-brew CA used just to sign OpenSSH hostkeys and
> verify them so that it can all be automated.  I only need to protect the
> home-brew-CA private key.  That is workable in my environment, and the
> reward seems worth the effort.  Anyone else think it would be worth it?

That's what I was thinking, too. Besides not wanting to pay $100 USD per
year per host, I'd have zero interest in giving a third party the hostnames
of all the boxes I ran sshd on. And even less interest in letting them know
when boxes had been compromised (i.e., when I needed to replace a cert). For
internal, or private-use-only, hosts, in-house CAs are the way to go.

-Peter

-- 
We must all learn to live together as brothers,
or we will all perish as fools. - Dr Martin Luther King, Jr