[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connectio
From: |
Matthias Urlichs |
Subject: |
Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections |
Date: |
Tue, 17 Apr 2007 21:12:01 +0200 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
Hi,
Daniel Kahn Gillmor:
> i think this is precisely what is needed, actually. Take as an
> existing example, the default form of key/identity matching used in
> OpenSSH: the ~/.ssh/known_hosts file. An entry in that file indicates
> that the user trusts that the key is bound to that host (the host
> being the agent who controls that key).
>
Good example, that. I do NOT want to ask my user "is that really the key
of the host you want to talk to?" questions. In a large system, that's
pointless, especially as you're really not supposed to give the same key
to multiple hosts. Does any of you ever check that fingerprint against
the original?
So what I *really* want is a host key that's signed by the systems'
admin key, and I want to tell my users, or rather my default suer setup,
"if you see a host key that's signed by _that_ key here, and if you're
connecting to hosts in _these_ domains, maybe print a nice info the
first time you see it in an interactive session, but otherwise assume
it's OK".
Or something along these lines.
--
Matthias Urlichs | {M:U} IT Design @ m-u-it.de | address@hidden
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
- -
How many Bavarian Illuminati does it take to screw in a lightbulb?
Three: one to screw it in, and one to confuse the issue.
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', (continued)
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès, 2007/04/12
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Simon Josefsson, 2007/04/12
- [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()', Ludovic Courtès, 2007/04/12
- OpenPGP certificate verification for TLS connections [Was: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'], Daniel Kahn Gillmor, 2007/04/12
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/13
- Re: OpenPGP certificate verification for TLS connections [Was: Re: [Help-gnutls] Re: Semantics of `gnutls_openpgp_key_check_hostname ()'], Rupert Kittinger-Sereinig, 2007/04/13
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/16
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Rupert Kittinger-Sereinig, 2007/04/16
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/17
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Daniel Kahn Gillmor, 2007/04/17
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections,
Matthias Urlichs <=
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Daniel Kahn Gillmor, 2007/04/17
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Rupert Kittinger-Sereinig, 2007/04/17
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/18
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Daniel Kahn Gillmor, 2007/04/18
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/19
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Rupert Kittinger-Sereinig, 2007/04/17
- [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Ludovic Courtès, 2007/04/18
- Re: [Help-gnutls] Re: OpenPGP certificate verification for TLS connections, Daniel Kahn Gillmor, 2007/04/18