Yegor Ievlev
2018-May-25 04:26 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
That's not a very good source, since it's only available to one person. On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote:> On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >> How can I revoke one SSH certificate without having to replace the >> root certificate and all certificates signed by it? > > there is no chaining of ssh certificates. > >> Regarding the second statement, do you have sources? > > yes. my day job. > >> On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote: >>> On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >>> >>>> SSH certificates provide no >>>> way to revoke compromised certificates, >>> >>> this isn't true >>> >>>> and SSH certificates haven't seen significant adoption, >>> >>> this also isn't true. >>> >>> enterprises love ssh certificates.
Peter Moody
2018-May-25 04:34 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
On Thu, May 24, 2018 at 9:26 PM, Yegor Ievlev <koops1997 at gmail.com> wrote:> That's not a very good source, since it's only available to one person.https://www.google.com/search?q=peter+moody+ssh+certificates
Yegor Ievlev
2018-May-25 04:38 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
Can you tell what problem with SSH certificate revocation does software you wrote for Uber solve? On Fri, May 25, 2018 at 7:34 AM, Peter Moody <mindrot at hda3.com> wrote:> On Thu, May 24, 2018 at 9:26 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >> That's not a very good source, since it's only available to one person. > > https://www.google.com/search?q=peter+moody+ssh+certificates
Jim Knoble
2018-May-25 04:58 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
You're coming across as rather combative, demandind sources to support others' comments, when you yourself have provided no evidence to support your own claims. Perhaps you want to rethink your approach. That said, I know of an enterprise with 50,000 employees worldwide who relies on OpenSSH certificates to securely authenticate across bastions into virtual private clouds. I'm pretty sure Peter doesn't work there, as I would know it. That makes two data points to support his statement. -- jim knoble> On May 24, 2018, at 21:26, Yegor Ievlev <koops1997 at gmail.com> wrote: > > That's not a very good source, since it's only available to one person. > >> On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote: >>> On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >>> How can I revoke one SSH certificate without having to replace the >>> root certificate and all certificates signed by it? >> >> there is no chaining of ssh certificates. >> >>> Regarding the second statement, do you have sources? >> >> yes. my day job. >> >>>> On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote: >>>>> On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >>>>> >>>>> SSH certificates provide no >>>>> way to revoke compromised certificates, >>>> >>>> this isn't true >>>> >>>>> and SSH certificates haven't seen significant adoption, >>>> >>>> this also isn't true. >>>> >>>> enterprises love ssh certificates. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Yegor Ievlev
2018-May-25 05:03 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
I did not consciously attempt to be combative. However your perception may be different. On Fri, May 25, 2018 at 7:58 AM, Jim Knoble <jmknoble at pobox.com> wrote:> You're coming across as rather combative, demandind sources to support others' comments, when you yourself have provided no evidence to support your own claims. Perhaps you want to rethink your approach. > > That said, I know of an enterprise with 50,000 employees worldwide who relies on OpenSSH certificates to securely authenticate across bastions into virtual private clouds. I'm pretty sure Peter doesn't work there, as I would know it. That makes two data points to support his statement. > > -- > jim knoble > > >> On May 24, 2018, at 21:26, Yegor Ievlev <koops1997 at gmail.com> wrote: >> >> That's not a very good source, since it's only available to one person. >> >>> On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote: >>>> On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >>>> How can I revoke one SSH certificate without having to replace the >>>> root certificate and all certificates signed by it? >>> >>> there is no chaining of ssh certificates. >>> >>>> Regarding the second statement, do you have sources? >>> >>> yes. my day job. >>> >>>>> On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote: >>>>>> On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >>>>>> >>>>>> SSH certificates provide no >>>>>> way to revoke compromised certificates, >>>>> >>>>> this isn't true >>>>> >>>>>> and SSH certificates haven't seen significant adoption, >>>>> >>>>> this also isn't true. >>>>> >>>>> enterprises love ssh certificates. >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Konrad Bucheli
2018-May-28 09:42 UTC
Suggestion: Deprecate SSH certificates and move to X.509 certificates
Here you have a second person. We heavily depend on them and they are way easier to manage than X.509 certificates. On 25.05.2018 06:26, Yegor Ievlev wrote:> That's not a very good source, since it's only available to one person. > > On Fri, May 25, 2018 at 7:12 AM, Peter Moody <mindrot at hda3.com> wrote: >> On Thu, May 24, 2018 at 9:09 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >>> How can I revoke one SSH certificate without having to replace the >>> root certificate and all certificates signed by it? >> >> there is no chaining of ssh certificates. >> >>> Regarding the second statement, do you have sources? >> >> yes. my day job. >> >>> On Fri, May 25, 2018 at 6:58 AM, Peter Moody <mindrot at hda3.com> wrote: >>>> On Thu, May 24, 2018 at 8:36 PM, Yegor Ievlev <koops1997 at gmail.com> wrote: >>>> >>>>> SSH certificates provide no >>>>> way to revoke compromised certificates, >>>> >>>> this isn't true >>>> >>>>> and SSH certificates haven't seen significant adoption, >>>> >>>> this also isn't true. >>>> >>>> enterprises love ssh certificates. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- konrad bucheli principal engineer open systems ag raeffelstrasse 29 ch-8045 zurich t: +41 58 100 10 10 f: +41 58 100 10 11 kb at open.ch http://www.open.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4238 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180528/54d0510c/attachment.p7s>