Re: [Nmh-workers] TLS certificate validation

[Andy Bradford]

Thus said Ken Hornstein on Sat, 24 Sep 2016 11:49:08 -0400:

> Well, technically, ssh does not deal  in certificates - they deal with
> keys. They do not have an expiration date. If you need to rekey an ssh
> server, the world falls apart.

Technically, OpenSSH  does have support for  certificate authorities, so
one need not have  the world fall apart, but I don't  know how common is
it in use:

CERTIFICATES
     ssh-keygen supports signing of keys to produce certificates that may be
     used for user or host authentication.  Certificates consist of a public
     key, some identity information, zero or more principal (user or host)
     names and a set of options that are signed by a Certification Authority
     (CA) key.  Clients or servers may then trust only the CA key and verify
     its signature on a certificate rather than trusting many user/host keys.
     Note that OpenSSH certificates are a different, and much simpler, format
     to the X.509 certificates used in ssl(8).

Andy
-- 
TAI64 timestamp: 4000000057e6b8fe