Re: Suggestion: Deprecate SSH certificates and move to X.509 certificates

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



No way, sorry.

The OpenSSH certificate format was significantly motivated by X.509's
syntactic and semantic complexity, and the consequent attack surface in
the sensitive pre-authentication paths of our code. We're very happy to
be able to offer certificate functionality while avoiding the numerous
vulnerabilities that X.509/ASN.1 parsing would have brought.

If you really want X.509 certificates, then I'd recommend Roumen
Petrov's patches: https://roumenpetrov.info/secsh/ -- he's done a
fine job of maintaing these over an extended period of time.

-d

On Fri, 25 May 2018, Yegor Ievlev wrote:

> I suggest deprecating proprietary SSH certificates and move to X.509
> certificates. The reasons why I suggest this change are: X.509
> certificates are the standard on the web, SSH certificates provide no
> way to revoke compromised certificates, and SSH certificates haven't
> seen significant adoption, It's also a bad idea to roll your own
> crypto, and own certificate format seems like an example of this. I
> request comments on this proposal, and suggest that X.509 certificates
> should be supported even if SSH certificates will be left in, since
> that will solve the problem of authenticating a previously unknown
> server using the same mechanism most of the web is using.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux