[abricq]

I'm actually really bad at all this networking certificates, and have a question for the experts. If a user have to sign a short-lived CA and then present that certificate to the host he wishes to connect with, isn't that basically allowing CA emitters to track the user's activity for this host ?

This feels like replacing ssh for shh-with-tracking. Am i missing something ?

[szszrk]

It's probably a typo, but a user rather uses short lived Cert, not a CA. CA (certificate authority) issues a Cert. CA doesn't have to be (and likely isn't) in users full control.

Hosts answering to connections using that cert don't have to send anything back to CA. They just need rules "I trust this CA. If a user has a cert from it, and this precise combination of fields match, I consider this user's response trustworthy".

[dangtony98]

That's correct — The user obtains a short-lived SSH certificate (signed/issued by a CA).