On Tue, Apr 1, 2014 at 6:18 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Tue, 1 Apr 2014, Nico Kadel-Garcia wrote: > >> This is partly why some folks would like an authentication procedure >> for host keys, so such changed keys can be signed by a trustworthy >> upstream source and simply accepted like signed SSL keys. > > You mean like the certificate keys we added to OpenSSH four years ago? Which of the three technologies that no one uses are you referring to? The lack of a consistent specification makes it far more difficult to implement in even a limited way, between RFC 4255 *DNS based signatures which I've not seen anyone use since the RFC was published), RFC 6187 (X.509 based signatures, which are available via patch for OpenSSH but are not in the base source code and thus vulnerable to support problems), and OpenSSH's own special non-RFC published technique described in the PROTOCOLS.certkeys file and which, again, does not work with other clients. So yes, they'd like a working authentication *procedure*. The divergence of the multiple signature technologies actively hinders their use. If you think any of these have gained any significant please any 3 publicly exposed SSH services that use any of these technologies to sign their keys that is not hosted by an active SSH or OpenSSH developer. Nico Kadel-Garcia _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev