[rakoo]

That's why you need certificates and not just a key pair. Certificates make key rotation easier, and you want key rotation to be easy.

I guess the proper way forward is a small utility that gets the latest signature through http+tls, and replaces the line in your known_hosts file, all in the background.

Looking long term, maybe we need to get rid of all the security stuff in ssh and just pipe the rest of its functionalities inside a TLS pipe. Let the os do its certificate management, reuse security bricks that are way more studied, ...

[oleganza]

Certificates just add more keys to worry about. The beauty of SSH is that it does not add hugely trusted parties in the name of convenience, while the UX of TOFU (trust on first use) is pretty decent.

The real solution to break out of these UX/security tradeoffs is to put domain names on a blockchain: then you can simply rotate the key in your DNS record, while the blockchain model is such that you need to compromise many parties, instead of "one out of many parties", as with CAs.

Tracking Bitcoin chain for DNS updates is lightweight enough that it can be built into OS alongside other modern components such as secure enclave, TCP/IP stack and WiFi/BT/5G radios.

[megous]

Those keys can be worried about on a better secured computer, and don't need to be spread out on every frontend ssh server. Also it allows you to have each machine have a different host key pair, so if one leaks, only that single machine may have some trust issues, and not the whole fleet.

Also it's way better than TOFU, you can just add the CA key to known_hosts and avoid TOFU for each machine.

(Nevermind that you'll probably not accidentally commit some semi-ephemeral host key that's rotated often somewhere, because it will not be some special snowflake key you care about, but something handled by your infrastructure software automatically for each machine)

[hnfong]

> The beauty of SSH is that it does not add hugely trusted parties in the name of convenience

Even with a certificate authority model, you don't have to trust any CAs if you don't want to. Not having the option to do so is more of a problem.

[datadeft]

We should use a separate system that could reliably verify which certs belong to which entity.

Blockchain is a perfect solution to this. I wonder why it is not considered yet.

[jtsiskin]

https://certificate.transparency.dev it is

[datadeft]

Thanks, I was not aware!

[leetrout]

Are there any cert solutions that dont involve having to maintain a revocation list? I only used certs with openvpn years ago and the CRL was a potential footgun.

[goalieca]

This is one reason people are issuing certs with 2 week expiry.

[marcosdumay]

> Certificates make key rotation easier

How easy is it to rotate the keys of your CA?