IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Comments on draft-ietf-secsh-x509-00



=?ISO-8859-1?Q?Henrick_Hellstr=F6m?= <henrick%streamsec.se@localhost> writes:

>Please note that I don't buy any arguments of the kind: "We already have a
>PKI infrastructure and management tells us to use it for everything so we
>really want to send X.509 certificates over SSH." If the host already maps
>user accounts to KNOWN certificates, the server might just as well extract
>the public keys from the certificates and use them as regular public keys.

I was just about to make the same point.  Putting in a huge amount of work to
describe some elaborate infrastructure when to date everyone has got along
just fine with raw public keys (so that by extension any attacker who wants to
sidestep it can just extract and send the raw key) is pretty pointless.  X.509
is a convenient alternative bit-bagging technique for use if you've already
got a pile of PKI set up, not a reason to re-work half the SSH trust model.

Peter.




Home | Main Index | Thread Index | Old Index