PHWinfo - Afficher un message

26/10/2006, 02h26

>>>>> "DD" == Darren Dunham <ddunham@redwood.taos.com> writes:

DD> rhino007_us@yahoo.com <rhino007_us@yahoo.com> wrote:
>> Someone suggested that the SSH Server would not need to talk to the
>> CA at all, and that it

DD> *AFTER* sending, I realize that your subject mentions Tectia SSH.
DD> I apologize if it implements something else for managing keys. I
DD> was referring to openssh.
DD> area < This line left intentionally blank to confuse you. >

Tectia offers X.509 certificate support for both server and client
authentication.

In the simplest case, for server authentication: each time you bring up a
new SSH server, you have the CA sign its hostkey. Each client has a copy
of the CA's certificate, initially distributed in a secure manner. This
way, a client can validate the hostname/key binding by checking the
signature in the hostkey certificate using the CA's key. So, instead of
managing a constantly changing known-hosts list, you distribute a single
CA certificate instead.

The client does not need to contact the CA to perform authentication,
although it may wish to consult the CA's certificate revocation list to
check for a revoked certificate.

--
Richard Silverman
res@qoxp.net

26/10/2006, 02h26	#8
Richard E. Silverman Messages: n/a Hébergeur:	Re: Tectia SSH and use with a CA >>>>> "DD" == Darren Dunham <ddunham@redwood.taos.com> writes: DD> rhino007_us@yahoo.com <rhino007_us@yahoo.com> wrote: >> Someone suggested that the SSH Server would not need to talk to the >> CA at all, and that it DD> AFTER sending, I realize that your subject mentions Tectia SSH. DD> I apologize if it implements something else for managing keys. I DD> was referring to openssh. DD> area < This line left intentionally blank to confuse you. > Tectia offers X.509 certificate support for both server and client authentication. In the simplest case, for server authentication: each time you bring up a new SSH server, you have the CA sign its hostkey. Each client has a copy of the CA's certificate, initially distributed in a secure manner. This way, a client can validate the hostname/key binding by checking the signature in the hostkey certificate using the CA's key. So, instead of managing a constantly changing known-hosts list, you distribute a single CA certificate instead. The client does not need to contact the CA to perform authentication, although it may wish to consult the CA's certificate revocation list to check for a revoked certificate. -- Richard Silverman res@qoxp.net