[nibbleshifter]

Ssh certificate authorities are a thing that exists.

We also have a way to put SSH host key fingerprints in DNS records already.

[datadeft]

Yeah like how HTTPS CAs exist. There are some very nice three letter ones who can issue any certificate and your browser / OS happily accepts it.

[BenjiWiebe]

SSH doesn't have any CAs that it trusts out of the box. It's up to you to tell it which one to trust.

[Arch-TK]

Yes but the option to do verify host keys using ("VerifyHostKeyDNS") is not enabled by default.

[prussian]

Unless it has changed recently, you can't have a trust chain of OpenSSH certs though so it's cumbersome that your signing key is not only the root ca but also basically has to be 24/7 accessible to sign any server/client you want to bring up.

[lxgr]

This just kicks the can down the road to DNS.

I'd guess that most systems aren't using DoH/DoT or end-to-end DNSSEC yet. Some browsers do, but that doesn't help tooling frequently used on the command line.

I suppose you could just accept X.509 certificates for some large/enterprise git domains, but that pokes up the hornet's nest that is CA auditing (the browser vendors are having a lot of fun with that, I'm happy that the OpenSSH devs don't have to, yet).

And where do you maintain the list that decides which hosts get to use TOFU and which ones are allowed to provide public keys? Another question very ill-fitted for the OpenSSH dev team.

[tptacek]

No browser uses DNSSEC.

[nibbleshifter]

Thank god. Someone needs to take that protocol out back and give it the old yeller treatment.

[lxgr]

That was in reference to the former, i.e. in-browser DoH/DoT lookups.

[roblabla]

DNS can trivially be mitm'd. DNS-stored fingerprints are strictly less secure than TOFU.

[tialaramex]

If you use DNSSEC (cue inevitable rant from Thomas) this just works. If you have DoH (and why wouldn't you?) and your trusted resolver uses DNSSEC (which popular ones do), you get the same benefits.

https://en.wikipedia.org/wiki/SSHFP_record