[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] TLS certificate validation
From: |
Andy Bradford |
Subject: |
Re: [Nmh-workers] TLS certificate validation |
Date: |
24 Sep 2016 11:33:14 -0600 |
Thus said Ken Hornstein on Sat, 24 Sep 2016 11:49:08 -0400:
> Well, technically, ssh does not deal in certificates - they deal with
> keys. They do not have an expiration date. If you need to rekey an ssh
> server, the world falls apart.
Technically, OpenSSH does have support for certificate authorities, so
one need not have the world fall apart, but I don't know how common is
it in use:
CERTIFICATES
ssh-keygen supports signing of keys to produce certificates that may be
used for user or host authentication. Certificates consist of a public
key, some identity information, zero or more principal (user or host)
names and a set of options that are signed by a Certification Authority
(CA) key. Clients or servers may then trust only the CA key and verify
its signature on a certificate rather than trusting many user/host keys.
Note that OpenSSH certificates are a different, and much simpler, format
to the X.509 certificates used in ssl(8).
Andy
--
TAI64 timestamp: 4000000057e6b8fe
Re: [Nmh-workers] TLS certificate validation, David Levine, 2016/09/24
Re: [Nmh-workers] TLS certificate validation, Ralph Corderoy, 2016/09/24
Re: [Nmh-workers] TLS certificate validation, Jeffrey Honig, 2016/09/24