WYTM?

[Damien Miller]

On Sun, 2003-10-19 at 00:47, Peter Gutmann wrote:

> >What was the motive for adding lip service into the document?
> 
> So that it's possible to claim PGP and X.509 support if anyone's interested in
> it.  It's (I guess) something driven mostly by marketing so you can answer
> "Yes" to any question of "Do you support <x>".  You can find quite a number of
> these things present in various security specs, it's not just an SSH thing.

I think that you are misrepresenting the problem a little. At 
least one vendor (ssh.com) has a product that supports both X.509 
and PGP, so the inclusion of these in the I-D is not just marketing 
overriding reality - just a lack of will on part of the the draft's
authors. 

I have seen little involvement on the secsh wg mailing list by 
the ssh.com people since the public spat about trademark rights 
over "ssh" a few years back. Since noone else implements these two 
public key methods, the work has never been done. IIRC The wg 
decided to punt the issue to a separate draft if it ever arose
again. It hasn't in two years. 

In the meantime, everyone involved seems to have become deathly 
afraid of touching the draft so as not to impede its glacial 
progress through the IETF on its way to RFC-hood.

Whether a sizeable number of customers acutally use certificates 
for ssh is another matter. IMO The only real use for certs in ssh 
is the issue of initial server authentication. 

If one wants to use certificates to facilitate this process, they 
can already - just publish the server keys on a https server 
somewhere and/or sign them with PGP :)

-d


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com