fsebugoutzone.org:9999

       Post ATxFLeMpsq70u0Es8e by djm@cybervillains.com
 (DIR) More posts by djm@cybervillains.com
 (DIR) Post #ATxFLeMpsq70u0Es8e by djm@cybervillains.com
       2023-03-24T10:00:32Z
       
       0 likes, 0 repeats
       
       I see it&#39;s SSH Key Security Take Night, so here&#39;s mine: if GitHub implemented OpenSSH&#39;s key rotation protocol they could have gracefully rolled past their RSA key disclosure with no trust continuity break for most clients
       
 (DIR) Post #ATxFLfG8ZELdfW72Ku by bk2204@mastodon.social
       2023-03-24T20:26:45Z
       
       0 likes, 1 repeats
       
       @djm GitHub does implement OpenSSH&#39;s key rotation protocol.  I adopted the patch to our SSH library and we did this with the ECDSA and Ed25519 keys.  The problem is it requires a connection to the server to rotate the keys, and it&#39;s only really usable in OpenSSH 8.5 and newer, which is a tiny fraction of clients.If you have a short time to rotate due to an emergency, then most people won&#39;t have made a connection in time to rotate, and it doesn&#39;t fix things like ephemeral systems.