IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SSH_MSG_KEXGSS_HOSTKEY (was: Re: I-D ACTION:draft-weber-secsh-pkalg-none-00.txt)
> How about a global request that a client send (after kex) to the server
> to list the server's public host keys?
Regardless of what GSSAPI ends up doing, something like that is
probably a good idea for OpenPGP: it would be nice to have a way to
get revocation certificates from the server after you have connected
to the correct server, in case there are old host keys that have been
stolen, and I don't think putting multiple toplevel keys in the key
sent during keyex is the right solution. I'm willing to write a draft
about messages to do this, though if jhutz wants to, I'd be happy to
defer to him.
(Indeed, the draft on using pgp-sign-* with secsh that I've written
and intend to submit as soon as drafts are being accepted again talks
about the usefulness of such a mechanism, without proposing one.)
A similar revocation mechanism for X.509 may also be a good idea.
Home |
Main Index |
Thread Index |
Old Index