Can you implement revocation support? On Fri, May 25, 2018 at 6:55 AM, Damien Miller <djm@xxxxxxxxxxx> wrote: > No way, sorry. > > The OpenSSH certificate format was significantly motivated by X.509's > syntactic and semantic complexity, and the consequent attack surface in > the sensitive pre-authentication paths of our code. We're very happy to > be able to offer certificate functionality while avoiding the numerous > vulnerabilities that X.509/ASN.1 parsing would have brought. > > If you really want X.509 certificates, then I'd recommend Roumen > Petrov's patches: https://roumenpetrov.info/secsh/ -- he's done a > fine job of maintaing these over an extended period of time. > > -d > > On Fri, 25 May 2018, Yegor Ievlev wrote: > >> I suggest deprecating proprietary SSH certificates and move to X.509 >> certificates. The reasons why I suggest this change are: X.509 >> certificates are the standard on the web, SSH certificates provide no >> way to revoke compromised certificates, and SSH certificates haven't >> seen significant adoption, It's also a bad idea to roll your own >> crypto, and own certificate format seems like an example of this. I >> request comments on this proposal, and suggest that X.509 certificates >> should be supported even if SSH certificates will be left in, since >> that will solve the problem of authenticating a previously unknown >> server using the same mechanism most of the web is using. >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
