Re: OpenSSH certified keys

To: ietf-ssh%NetBSD.org@localhost
Subject: Re: OpenSSH certified keys
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Tue, 16 Mar 2010 16:54:53 -0400 (EDT)

>> In particular, we are not comfortable with the complexity
>> (syntactically or sematically) of X.509.
> That's unfortunate, because it's what the rest of the world already
> has as its infrastructure.

This is clearly some unusual definition of "world" I'm not familiar
with.  I'm familiar with three sites' setups.  One of them uses X.509
for nothing at all.  Another does likewise as far as I can tell, but
I'm not quite familiar enough with it to be sure there isn't something
lurking in a corner I haven't seen.  A third uses X.509 certificate
format, but with a private root CA they've set up for their own
purposes; I don't know enough about X.509 to know whether this means
they don't conform to it or not.  (If the software they're using it
with supported something less onerous, they very probably would have
used that instead.)

In none of those three cases is X.509 "what they have as their
infrasturcture".

> By not supporting it, you force people to choose between supporting
> your odd, proprietary, unproven certificate format or not getting to
> use certificates at all.

Or, of course, using some other ssh implementation.

> Guess which one anyone with more than 5 machines is going to choose?

Speaking as someone with more than 5 machines, I have even less
interest in X.509 than I do in this new certificate scheme.  X.509 is
about what you'd expect from design-by-committee: over-complicated,
difficult to use, and blithely oblivious to the ways in which its
underlying assumptions are at odds with day-to-day reality.

> OpenSSH would be a lot more useful if it supported the same
> authentication mechanisms as the rest of the world.

Again this odd value of "rest of the world".

X.509 support might be nice to have (though I'm certainly not going to
bother writing the code).  But I'm glad to see experiments with
alternatives as well; monocultures are bad things.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- OpenSSH certified keys
  - From: Damien Miller
- Re: OpenSSH certified keys
  - From: Jeffrey Hutzelman

Prev by Date: Re: OpenSSH certified keys
Next by Date: Re: OpenSSH certified keys
Previous by Thread: Re: OpenSSH certified keys
Next by Thread: Re: OpenSSH certified keys
Indexes:

Home | Main Index | Thread Index | Old Index