On Mon, 6 Oct 2003, Robert G. Brown wrote: > The only thing that might be worth investigating for implementation in > yum itself is a) -- I can imagine a scenario where one inserts the > public ssh key of yum servers into a yum.conf so that yum can do a quick > handshake right before starting to download files to be certain that the > host it thinks it is contacting really is that host. Not quite replying to myself, this is in reference to ssl as an alternative. There are good things and bad things about ssl for host authentication. The good thing is that there is a CA. The bad thing is that there is a CA. For some sites CA-based authentication (which generally costs money) will be right; for others a more DIY approach is called for. SSL is not horribly trivial to set up at all, let alone correctly. So ssh is suggested as an alternative to ssl, not as a replacement. openssh is trivially installable on just about any system these days, and it is pretty easy to access and copy keys and hence arrange for a handshake with no need for an external CA. rgb Robert G. Brown http://www.phy.duke.edu/~rgb/ Duke University Dept. of Physics, Box 90305 Durham, N.C. 27708-0305 Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb@xxxxxxxxxxxx
