PHWinfo - Afficher un message

25/10/2006, 17h54

I was in a discussion with someone yesterday about SSH and how
certification works with a
Certificate Authority. A couple of points could use a little
clarification.

When a new SSH client sends a request to transmit data to the SSH
Server for the first time does it's request include it's (the SSH
client's) certificate which includes it's own
public key inside, and the CA's digital signature as proof of who it
is? Or does the SSH Server ask the CA to validate the client?

Someone suggested that the SSH Server would not need to talk to the CA
at all, and that it
would simply respond to the SSH client directly. I know that without a
CA someone
would have had to put the clients public key on the server and visa
versa, and away we
go. His point is beginning to make sense to me, as it would save a lot
of overhead.

With a CA I had thought the SSH server would need to check with the CA
and the CA
would validate the client, and send the SSH Servers public key to the
client along with it's own digital signature proving it is the valid CA
to the client.

I can see the other persons point that it is reasonable that when the
SSH client was
brought online and entered into the CA lists of valid hosts does the CA
send
this info out to the SSH Servers, preinforming them about the new SSH
client?

I have RTFM for many hours at this point, at www.ssh.org, and
Wikipedia, RSA, etc.

Cheers, Rhino

25/10/2006, 17h54	#4
rhino007_us@yahoo.com Messages: n/a Hébergeur:	Re: Tectia SSH and use with a CA I was in a discussion with someone yesterday about SSH and how certification works with a Certificate Authority. A couple of points could use a little clarification. When a new SSH client sends a request to transmit data to the SSH Server for the first time does it's request include it's (the SSH client's) certificate which includes it's own public key inside, and the CA's digital signature as proof of who it is? Or does the SSH Server ask the CA to validate the client? Someone suggested that the SSH Server would not need to talk to the CA at all, and that it would simply respond to the SSH client directly. I know that without a CA someone would have had to put the clients public key on the server and visa versa, and away we go. His point is beginning to make sense to me, as it would save a lot of overhead. With a CA I had thought the SSH server would need to check with the CA and the CA would validate the client, and send the SSH Servers public key to the client along with it's own digital signature proving it is the valid CA to the client. I can see the other persons point that it is reasonable that when the SSH client was brought online and entered into the CA lists of valid hosts does the CA send this info out to the SSH Servers, preinforming them about the new SSH client? I have RTFM for many hours at this point, at www.ssh.org, and Wikipedia, RSA, etc. Cheers, Rhino