Getting certificates.
James A. Donald
jamesd at echeque.com
Fri Sep 5 20:25:50 PDT 2003
--
James A. Donald:
> > > > SSH server public/private keys are widely deployed.
> > > > PKI public keys are not. Reason is that each SSH
> > > > server just whips up its own keys without asking
> > > > anyone's permission, or getting any certificates.
Eric Murray:
> > > ..which means that it [ssh-- ericm] still requires an OOB
> > > authentication. (or blinding typing 'yes' and ignoring
> > > the consequences). But that's another subject.
James A. Donald:
> > Not true. Think about what would happen if you tried a
> > man in the middle attack on an SSH server.
On 5 Sep 2003 at 10:47, Eric Murray wrote:
> you'd get the victim's session:
No you will not, because the "victim"'s ssh client will
immediately detect that the uncertified public key is different
from the last time he logged in -- which is why he will not be
a victim.
In practice, certification is only useful for governments to
monitor us, which is why so few people use it -- not because
they are worried about government monitoring, but because there
no benefit in it for the end user.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
iPa66kCgZYuVbwU8o3SYbR0jE6eUaJfpnOK8I7gd
4GzIVQBL8Is5mMcQ0VkDC+3TEoasePfzJK+k+NbRk
More information about the cypherpunks-legacy
mailing list