[Cryptography] Why aren’t we using SSH for everything?

Tony Arcieri bascule at gmail.com
Sun Jan 4 18:18:45 EST 2015

On Sun, Jan 4, 2015 at 7:23 AM, Christoph Anton Mitterer <
calestyo at scientia.net> wrote:

> Apart from that,... everyone should know by now, that the X.509 / CA
> based trust system we have in TLS is inherently broken... alone the fact
> that you have several 100 CAs in your browsers, many completely
> untrustworthy or proven to be incompetent.

Yes, I'm sure everyone on this list knows Achmed's Used Cars and

> So probably the best possible way to have a strict hierarchical system
> would be DANE.

Great in theory, but DNSSEC is terrible in practice

> And for DANE in turn, you could just place your SSH keys in DNS. Scales
> as good as anything else.

Is that even supported now?

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150104/ce2d8991/attachment.html>

More information about the cryptography mailing list