Actually I'll wager OpenSSH is able to require client certificates, since it is built on OpenSSL.
Well then, you'd lose your wager. OpenSSL has cert handling OK, but the SSH protocol can't use certificates directly
I did patch OpenSSH (version 1) a while ago so that it can use certificates if they are available via local files or an LDAP server, and am currently trying to get OpenSSH2 similarly able.
But even if you have certificates signed by
a third party, that's not the end of the story.
For instance, what are the certification policies
for your CA? How does he check that you really are
who you say you are? How does he know that you
manage the server you are requesting a certificate
for? How does anyone else know that?
A VPN doesn't really help. Whenever you get
authentication material from certificates there
still remains the problem of identifying what
entity is bound to that key, and what level of
trust you should give to it.
The article doesn't really establish weaknesses
in either SSL or SSH. It simply explores the problem of how to trust public keys -- which has
been going on ever since PK systems were developed
(think PGP, X.509, etc)
Re:Digital signatures are not really signatures.
on
GPG vs. PGP?
·
· Score: 1
On the subject of "seeding" the web of trust, there's also the Global Trust Register
A paper and ink listing of known public keys, published via Cambridge University Computing Laboratory.
I'll agree that the line between software and hardware is getting a little fuzzy here. Indeed. Not quite sure a) what counts as 'hardware only' encryption. Schlumberger Cryptoflex? The Clipper chip? Both legal in the UK (although the latter is undesirable:-)) b) Why you think that the UK forbids the use/import/export of such devices. If shipping crypto to other countries other than via the Open General Export License, you need a DTI approved export license, which you wont get if the gov't doesn't like who you're sending it to, but its pretty much the same for anything, even oil pipelines getting sent to Iraq... If the rules have been relaxed in France it must have been very recently (last 6 months). They were. About 5 months ago, Lionel Jospin announced a volte face in French crypto to allow high strength crypto into and out of the country. Which is why you don't see any "Netscape Communicator for France" any more. --Ng
> For example in the UK it is actually illegal to do encryption in hardware You mean like the nCipher device which performs RSA and DH operations in hardware? Produced in Cambridge (not the one in MA)? A little more care required before you post inaccurate stuff like that It is not illegal to perform encryption in hardware, software or via two packs of playing cards in the UK. Much to the security services' annoyance.
Err..no OpenLDAP can choose from different backends, but the default one is the LDBM structure, which is a hashed indexed database (like Berkeley DBM, or GNU DBM). You might be mistaking the LDIF dumps which serve either to restore corrupted databases or to transport the data to another server, but it's definitely not unindexed text files. If you want, you can put scripts in so that OpenLDAP will backend data queries to an SQL database, or similar.
Slashdot Mirror
Well then, you'd lose your wager. OpenSSL has cert handling OK, but the SSH protocol can't use certificates directly
I did patch OpenSSH (version 1) a while ago so that it can use certificates if they are available via local files or an LDAP server, and am currently trying to get OpenSSH2 similarly able.
So there's hope yet
For instance, what are the certification policies for your CA? How does he check that you really are who you say you are? How does he know that you manage the server you are requesting a certificate for? How does anyone else know that?
A VPN doesn't really help. Whenever you get authentication material from certificates there still remains the problem of identifying what entity is bound to that key, and what level of trust you should give to it.
The article doesn't really establish weaknesses in either SSL or SSH. It simply explores the problem of how to trust public keys -- which has been going on ever since PK systems were developed (think PGP, X.509, etc)
A paper and ink listing of known public keys, published via Cambridge University Computing Laboratory.
I'll agree that the line between software and hardware is getting a little fuzzy here. Indeed. Not quite sure a) what counts as 'hardware only' encryption. Schlumberger Cryptoflex? The Clipper chip? Both legal in the UK (although the latter is undesirable :-)) b) Why you think that the UK forbids the use/import/export of such devices. If shipping crypto to other countries other than via the Open General Export License, you need a DTI approved export license, which you wont get if the gov't doesn't like who you're sending it to, but its pretty much the same for anything, even oil pipelines getting sent to Iraq... If the rules have been relaxed in France it must have been very recently (last 6 months). They were. About 5 months ago, Lionel Jospin announced a volte face in French crypto to allow high strength crypto into and out of the country. Which is why you don't see any "Netscape Communicator for France" any more. --Ng
> For example in the UK it is actually illegal to do encryption in hardware You mean like the nCipher device which performs RSA and DH operations in hardware? Produced in Cambridge (not the one in MA)? A little more care required before you post inaccurate stuff like that It is not illegal to perform encryption in hardware, software or via two packs of playing cards in the UK. Much to the security services' annoyance.
Berkeley DB (not DBM)
Err..no OpenLDAP can choose from different backends, but the default one is the LDBM structure, which is a hashed indexed database (like Berkeley DBM, or GNU DBM). You might be mistaking the LDIF dumps which serve either to restore corrupted databases or to transport the data to another server, but it's definitely not unindexed text files. If you want, you can put scripts in so that OpenLDAP will backend data queries to an SQL database, or similar.