No way, sorry. The OpenSSH certificate format was significantly motivated by X.509's syntactic and semantic complexity, and the consequent attack surface in the sensitive pre-authentication paths of our code. We're very happy to be able to offer certificate functionality while avoiding the numerous vulnerabilities that X.509/ASN.1 parsing would have brought. If you really want X.509 certificates, then I'd recommend Roumen Petrov's patches: https://roumenpetrov.info/secsh/ -- he's done a fine job of maintaing these over an extended period of time. -d On Fri, 25 May 2018, Yegor Ievlev wrote: > I suggest deprecating proprietary SSH certificates and move to X.509 > certificates. The reasons why I suggest this change are: X.509 > certificates are the standard on the web, SSH certificates provide no > way to revoke compromised certificates, and SSH certificates haven't > seen significant adoption, It's also a bad idea to roll your own > crypto, and own certificate format seems like an example of this. I > request comments on this proposal, and suggest that X.509 certificates > should be supported even if SSH certificates will be left in, since > that will solve the problem of authenticating a previously unknown > server using the same mechanism most of the web is using. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
