Yegor Ievlev
2018-May-25 03:58 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
Can you implement revocation support? On Fri, May 25, 2018 at 6:55 AM, Damien Miller <djm at mindrot.org> wrote:> No way, sorry. > > The OpenSSH certificate format was significantly motivated by X.509's > syntactic and semantic complexity, and the consequent attack surface in > the sensitive pre-authentication paths of our code. We're very happy to > be able to offer certificate functionality while avoiding the numerous > vulnerabilities that X.509/ASN.1 parsing would have brought. > > If you really want X.509 certificates, then I'd recommend Roumen > Petrov's patches: https://roumenpetrov.info/secsh/ -- he's done a > fine job of maintaing these over an extended period of time. > > -d > > On Fri, 25 May 2018, Yegor Ievlev wrote: > >> I suggest deprecating proprietary SSH certificates and move to X.509 >> certificates. The reasons why I suggest this change are: X.509 >> certificates are the standard on the web, SSH certificates provide no >> way to revoke compromised certificates, and SSH certificates haven't >> seen significant adoption, It's also a bad idea to roll your own >> crypto, and own certificate format seems like an example of this. I >> request comments on this proposal, and suggest that X.509 certificates >> should be supported even if SSH certificates will be left in, since >> that will solve the problem of authenticating a previously unknown >> server using the same mechanism most of the web is using. >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>
Damien Miller
2018-May-25 04:16 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
On Fri, 25 May 2018, Yegor Ievlev wrote:> Can you implement revocation support?What do you want that the existing revocation support lacks?
Yegor Ievlev
2018-May-25 04:21 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
Please tell me in technical details how current revocation support works, or give links. Then I will be able to give an answer. On Fri, May 25, 2018 at 7:16 AM, Damien Miller <djm at mindrot.org> wrote:> > > On Fri, 25 May 2018, Yegor Ievlev wrote: > >> Can you implement revocation support? > > What do you want that the existing revocation support lacks?