PuTTY wish host-key-rollover

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Host key/algorithm rollover not well supported
class: wish: This is a request for an enhancement.
priority: medium: This should be fixed one day.

When a server gains a new host key type, PuTTY does what it can to keep using the old key. Better might be to try to certify the new key from the old one.

The SSH protocol doesn't have any facilities designed to help with this, but maybe we can cook up a cross-certification scheme that's compatible with existing servers using key re-exchange.

Ian Jackson has also made some suggestions for protocol extensions to allow more general key rollover (even with keys of the same type) with cooperating servers.

OpenSSH has a protocol for allowing servers to advertise the host keys that they support after connection (hostkeys-00@openssh.com, hostkeys-prove-00@openssh.com. This would at least provide for key rollovers between key types.

If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2017-04-28 16:52:45 +0100)