On 20/09/2020 18:56, Christopher J. Ruwe wrote:
"In an otherwise normal public/private key pair exchange, clients or servers may then trust any public key, provided it has been signed by a trusted CA, and verify it's [sic] signature on the certificate of the CA,
There is no signature "on the certificate of the CA", because unlike X509, the SSH CA doesn't have a self-signed certificate - just a public/private key pair.
The signature is *on* the user (or host) certificate, and this signature is made *by* the CA. You can verify the signature using the public key of the CA.
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
