On Tue, Apr 1, 2014 at 6:18 PM, Damien Miller <djm@xxxxxxxxxxx> wrote:
> On Tue, 1 Apr 2014, Nico Kadel-Garcia wrote:
>
>> This is partly why some folks would like an authentication procedure
>> for host keys, so such changed keys can be signed by a trustworthy
>> upstream source and simply accepted like signed SSL keys.
>
> You mean like the certificate keys we added to OpenSSH four years ago?
Which of the three technologies that no one uses are you referring to?
The lack of a consistent specification makes it far more difficult to
implement in even a limited way, between RFC 4255 *DNS based
signatures which I've not seen anyone use since the RFC was
published), RFC 6187 (X.509 based signatures, which are available via
patch for OpenSSH but are not in the base source code and thus
vulnerable to support problems), and OpenSSH's own special non-RFC
published technique described in the PROTOCOLS.certkeys file and
which, again, does not work with other clients.
So yes, they'd like a working authentication *procedure*. The
divergence of the multiple signature technologies actively hinders
their use. If you think any of these have gained any significant
please any 3 publicly exposed SSH services that use any of these
technologies to sign their keys that is not hosted by an active SSH or
OpenSSH developer.
Nico Kadel-Garcia
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
