Re: OpenSSH certified keys

To: ietf-ssh%netbsd.org@localhost
Subject: Re: OpenSSH certified keys
From: Konstantin Andreev <andreev%swemel.ru@localhost>
Date: Wed, 17 Mar 2010 14:44:28 +0300

On 16.03.10 20:19, Damien Miller wrote:

OpenSSH 5.4p1 introduced a novel, lightweight certificate format for
user and host keys. These were designed to reuse SSH wire-encoding and
signature primitives to minimise the additional attack surface exposed
pre-auth. In particular, we are not comfortable with the complexity
(syntactically or sematically) of X.509.


I am not a security expert.

I can only rely on protocols/solutions, that trustworthy experts assert to be secure, or authoritative government institution certifies as secure.

What have I from this point of view ?

I can be sure that X.509 PKIX was designed and reviewed by the best experts in the industry. I can be sure, that all details I have never heard about were taken into account. There are approved guides which help me reach the highest level of the X.509 security.

Can I be sure that security protocol, designed by self-taught security experts, reaches that level of security or has not hidden defects? Nope.

IMO, being "not comfortable" with X.509 features is not enough to reimplement the wheel...

Best regards,
--
Konstantin Andreev, software engineer.
Swemel JSC.

References:
- OpenSSH certified keys
  - From: Damien Miller

Prev by Date: Re: OpenSSH certified keys
Next by Date: Re: OpenSSH certified keys
Previous by Thread: Re: OpenSSH certified keys
Next by Thread: Re: OpenSSH certified keys
Indexes:

Home | Main Index | Thread Index | Old Index