-- James A. Donald: > > > > SSH server public/private keys are widely deployed. > > > > PKI public keys are not. Reason is that each SSH > > > > server just whips up its own keys without asking > > > > anyone's permission, or getting any certificates.
Eric Murray: > > > ..which means that it [ssh-- ericm] still requires an OOB > > > authentication. (or blinding typing 'yes' and ignoring > > > the consequences). But that's another subject. James A. Donald: > > Not true. Think about what would happen if you tried a > > man in the middle attack on an SSH server. On 5 Sep 2003 at 10:47, Eric Murray wrote: > you'd get the victim's session: No you will not, because the "victim"'s ssh client will immediately detect that the uncertified public key is different from the last time he logged in -- which is why he will not be a victim. In practice, certification is only useful for governments to monitor us, which is why so few people use it -- not because they are worried about government monitoring, but because there no benefit in it for the end user. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG iPa66kCgZYuVbwU8o3SYbR0jE6eUaJfpnOK8I7gd 4GzIVQBL8Is5mMcQ0VkDC+3TEoasePfzJK+k+NbRk