|
|
Subscribe / Log in / New account

Garrett: We need better support for SSH host certificates

Garrett: We need better support for SSH host certificates

Posted Mar 27, 2023 18:35 UTC (Mon) by NYKevin (subscriber, #129325)
In reply to: Garrett: We need better support for SSH host certificates by nix
Parent article: Garrett: We need better support for SSH host certificates

Nobody is claiming that CAs are perfect. My contention is that, under the CA/B, trust is like tap water. You may not agree with all of the details of how it works, but in practice, it does work, and millions of people rely on it every day. It does fail, but (also like tap water) those failures are both rare and A Big Deal.

OTOH, TOFU is basically the equivalent of grabbing a cup of water out of a river, eyeballing it to make sure it looks vaguely clean-ish, and hoping for the best. You probably won't get sick. I mean, lots of animals drink out of that river, right?

to post comments

Garrett: We need better support for SSH host certificates

Posted Mar 27, 2023 18:39 UTC (Mon) by NYKevin (subscriber, #129325) [Link]

I should also point out that, if you are manually checking the keys and verifying them, you aren't practicing TOFU. TOFU means "trust on first use" not "verify on first use." The problem is, most people can't be bothered to do that in practice.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds