|
|
Subscribe / Log in / New account

Garrett: We need better support for SSH host certificates

Garrett: We need better support for SSH host certificates

Posted Mar 27, 2023 10:36 UTC (Mon) by mb (subscriber, #50428)
In reply to: Garrett: We need better support for SSH host certificates by NYKevin
Parent article: Garrett: We need better support for SSH host certificates

>TOFU should be obsolete.

I don't see a problem with TOFU.
Sprinkling CA trust chains does not really solve any real world problem that TOFU doesn't also practically solve. And it's so much simpler.

The real problem is the lack of an automated mechanism to revoke accepted keys. But that has nothing to do with TOFU.

to post comments

Garrett: We need better support for SSH host certificates

Posted Mar 27, 2023 16:44 UTC (Mon) by nix (subscriber, #2304) [Link] (2 responses)

Quite. Using CAs assumes that in some meaningful sense things that CAs sign are more "trusted" than things you trust on first use. Given that nobody can name the CAs they allegedly "trust" (none of which they asked to trust, or actually trust in any conventional sense of the term), and that a whole pile of them have been found to be actually untrustworthy, and that more or less all of them except possibly LetsEncrypt are incentivized to be taken over by total scumbags and they would still be marked trusted more or less everywhere for some time after that, I might suggest that this appears to be not entirely true.

The CA ecosystem makes me shiver. My local SSH key distribution network is a very simple thing involving AuthorizedKeysCommand and curl and private keys on yubikeys and is easy to understand and 100% entirely under my control, and can be used equally easily for machines on the public DNS and machines that are not. It does not make me shiver. Frankly even putting the private keys on a local disk seems a lot less terrifying to me than relying on the snake-infested nightmare zone that is the global PKI infrastructure.

Garrett: We need better support for SSH host certificates

Posted Mar 27, 2023 18:35 UTC (Mon) by NYKevin (subscriber, #129325) [Link] (1 responses)

Nobody is claiming that CAs are perfect. My contention is that, under the CA/B, trust is like tap water. You may not agree with all of the details of how it works, but in practice, it does work, and millions of people rely on it every day. It does fail, but (also like tap water) those failures are both rare and A Big Deal.

OTOH, TOFU is basically the equivalent of grabbing a cup of water out of a river, eyeballing it to make sure it looks vaguely clean-ish, and hoping for the best. You probably won't get sick. I mean, lots of animals drink out of that river, right?

Garrett: We need better support for SSH host certificates

Posted Mar 27, 2023 18:39 UTC (Mon) by NYKevin (subscriber, #129325) [Link]

I should also point out that, if you are manually checking the keys and verifying them, you aren't practicing TOFU. TOFU means "trust on first use" not "verify on first use." The problem is, most people can't be bothered to do that in practice.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds