Yegor Ievlev
2018-May-25 04:09 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
How can I revoke one SSH certificate without having to replace the root certificate and all certificates signed by it? Regarding the second statement, do you have sources? On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote:> On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: > >> SSH certificates provide no >> way to revoke compromised certificates, > > this isn't true > >> and SSH certificates haven't seen significant adoption, > > this also isn't true. > > enterprises love ssh certificates.
Peter Moody
2018-May-25 04:12 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote:> How can I revoke one SSH certificate without having to replace the > root certificate and all certificates signed by it?there is no chaining of ssh certificates.> Regarding the second statement, do you have sources?yes. my day job.> On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote: >> On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >> >>> SSH certificates provide no >>> way to revoke compromised certificates, >> >> this isn't true >> >>> and SSH certificates haven't seen significant adoption, >> >> this also isn't true. >> >> enterprises love ssh certificates.
Yegor Ievlev
2018-May-25 04:26 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
That's not a very good source, since it's only available to one person. On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote:> On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >> How can I revoke one SSH certificate without having to replace the >> root certificate and all certificates signed by it? > > there is no chaining of ssh certificates. > >> Regarding the second statement, do you have sources? > > yes. my day job. > >> On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote: >>> On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >>> >>>> SSH certificates provide no >>>> way to revoke compromised certificates, >>> >>> this isn't true >>> >>>> and SSH certificates haven't seen significant adoption, >>> >>> this also isn't true. >>> >>> enterprises love ssh certificates.
Damien Miller
2018-May-25 04:45 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
On Fri, 25 May 2018, Yegor Ievlev wrote:> How can I revoke one SSH certificate without having to replace the > root certificate and all certificates signed by it? > > Regarding the second statement, do you have sources?Uber, Facebook, Google, Netflix, Lyft, Square, Asana and others are on the record as using OpenSSH certificates (within a minute or two of Googling). Some of them have published their own CA clients/servers (inc. Peter). -d
Possibly Parallel Threads
- Suggestion: Deprecate SSH certificates and move to X.509 certificates
- Suggestion: Deprecate SSH certificates and move to X.509 certificates
- Suggestion: Deprecate SSH certificates and move to X.509 certificates
- Suggestion: Deprecate SSH certificates and move to X.509 certificates
- Can we disable diffie-hellman-group14-sha1 by default?