Re: [RFC] Preferentially TOFU certificate authorities rather than host keys

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Oct 14, 2024 at 04:29:56PM +0100, Matthew Garrett wrote:
> There's currently no way to express trust for an SSH certificate CA other
> than by manually adding it to known_hosts. This patch modifies the automatic
> key write-out behaviour on user verification to associate the hostname with
> the CA rather than the host key, allowing environments making use of
> certificates to update (potentially compromised) host keys without needing
> to modify client configuration or force users to update their known_hosts.

Oh, and a couple of use-cases I forgot to mention - transparent 
association of a CA key with a hostname also allows for either transient 
hosts behind the same hostname without needing to retain private key 
material, and also makes it possible to have multiple hosts behind the 
same hostname without having to share key material. This seems 
especially useful for allowing hardware-backed key material to be used 
in more complex scenarios than are currently feasible.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux