[Cryptography] Why aren’t we using SSH for everything?

Fedor Brunner fedor.brunner at azet.sk
Sun Jan 4 03:20:47 EST 2015

On 03.01.2015 23:53, Tony Arcieri wrote:
> SSH has a generally weaker model (TOFU) than at least a privately
> maintained X.509 hierarchy (the answer for a stronger/more agile approach
> on the SSH side is X.509-like SSH CAs). Likewise, TOFU handles key agility
> poorly:
SSH supports also X.509 vertificates

RFC 6187


> https://d262ilb51hltx0.cloudfront.net/max/800/1*mva2_6fu-3QfdTDfueclEg.png
> There are lots of real world reasons why keys might change. In fact key
> agility is a nice property! SSH makes it hard. I'm sure we've all seen the
> above warning, been confused about the circumstances, but ignored it.
> Then there's the part where you need to respecify every protocol to run
> atop SSH instead of TLS.
> In terms of overall design, SSH and TLS both failed. SSH did
> MAC-and-encrypt. TLS did MAC-then-encrypt. Both of them are effectively
> legacy protocols that were designed wrong from the get-go.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list