To:
Steve Hanna <steve.hanna@sun.com>
Cc:
Paul Hoffman / IMC <phoffman@imc.org>, keydist@cafax.se
From:
Derek Atkins <warlord@MIT.EDU>
Date:
04 Jan 2002 18:39:14 -0500
Delivery-Date:
Sat Jan 5 00:39:34 2002
In-Reply-To:
Steve Hanna's message of "Fri, 04 Jan 2002 16:01:20 -0500"
Sender:
owner-keydist@cafax.se
Subject:
Re: From whence we came...
Steve Hanna <steve.hanna@sun.com> writes:
> Derek Atkins wrote:
> > Currently, I can point to SSH and Linux FreeS/WAN (an IPsec
> > implementation) that do not support certificates and appear to be
> > very happy not supporting certificates. Similarly, the IPsec
> > Opportunistic Encryption proposal requires a single, global
> > insfrastructure for keying information that is tied to IP Addresses.
>
> SSHv2 recommends support for X.509v3 certificates for server
> authentication. Support for SPKI and PGP certificates is optional.
Yes, but raw ssh-dsa keys are REQUIRED, and are really what everyone
uses.
> The commercial version of SSH 3.0 apparently includes support
> for client authentication using certificates.
Ok, so you have one (rather expensive) implementation that supports
the non-required algorithms. I can name some that don't (for example
OpenSSH).
> So I question your
> assertion that they are happy not supporting certificates.
If they were happy supporting certificates why did they leave it
recommended instead of making it required? These decisions were
made based on compromise and trying to make many people happy.
> -Steve
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available