[Cryptography] Why aren’t we using SSH for everything?

Tony Arcieri bascule at gmail.com
Sat Jan 3 17:53:08 EST 2015

SSH has a generally weaker model (TOFU) than at least a privately
maintained X.509 hierarchy (the answer for a stronger/more agile approach
on the SSH side is X.509-like SSH CAs). Likewise, TOFU handles key agility


There are lots of real world reasons why keys might change. In fact key
agility is a nice property! SSH makes it hard. I'm sure we've all seen the
above warning, been confused about the circumstances, but ignored it.

Then there's the part where you need to respecify every protocol to run
atop SSH instead of TLS.

In terms of overall design, SSH and TLS both failed. SSH did
MAC-and-encrypt. TLS did MAC-then-encrypt. Both of them are effectively
legacy protocols that were designed wrong from the get-go.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150103/e093064e/attachment.html>

More information about the cryptography mailing list