-- James A. Donald:
SSH server public/private keys are widely deployed. PKI public keys are not. Reason is that each SSH server just whips up its own keys without asking anyone's permission, or getting any certificates.
Eric Murray:
..which means that it [ssh-- ericm] still requires an OOB authentication. (or blinding typing 'yes' and ignoring the consequences). But that's another subject.
James A. Donald:
Not true. Think about what would happen if you tried a man in the middle attack on an SSH server.
On 5 Sep 2003 at 10:47, Eric Murray wrote:
you'd get the victim's session:
No you will not, because the "victim"'s ssh client will immediately detect that the uncertified public key is different from the last time he logged in -- which is why he will not be a victim. In practice, certification is only useful for governments to monitor us, which is why so few people use it -- not because they are worried about government monitoring, but because there no benefit in it for the end user. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG iPa66kCgZYuVbwU8o3SYbR0jE6eUaJfpnOK8I7gd 4GzIVQBL8Is5mMcQ0VkDC+3TEoasePfzJK+k+NbRk