clarify error messages and documentation when using signed public keys
Brian Candler
b.candler at pobox.com
Mon Sep 21 05:48:39 AEST 2020
On 20/09/2020 18:56, Christopher J. Ruwe wrote:
> "In an otherwise normal public/private key pair exchange, clients or
> servers may then trust any public key, provided it has been signed by
> a trusted CA, and verify it's [sic] signature on the certificate of the CA,
There is no signature "on the certificate of the CA", because unlike
X509, the SSH CA doesn't have a self-signed certificate - just a
public/private key pair.
The signature is *on* the user (or host) certificate, and this signature
is made *by* the CA. You can verify the signature using the public key
of the CA.
More information about the openssh-unix-dev
mailing list