Well, or the private signing key of your CA of course, that is another point they could attack to get access to everything.
Posted Jun 12, 2026 7:11 UTC (Fri) by anselm (subscriber, #2796) [Link] (2 responses)
The private signing key of our CA is a lot more difficult to get at than private SSH keys on random developers' laptops, so that's a net win.
Also, access to the OIdC IdP can be straightforwardly made more secure using MFA (e.g., with a USB FIDO2 device). This could of course also be done for standard SSH keys, but it is more of a hassle to set up, it wouldn't solve the problem of having to maintain potentially many copies of the corresponding public SSH keys all over the place, and the USB FIDO2 device works for other web-based services, too.
Posted Jun 12, 2026 7:49 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
BTW, and you also can combine both approaches. Nothing stops you from issuing SSH CA certs for token-based keys.
Posted Jun 12, 2026 16:01 UTC (Fri) by LtWorf (subscriber, #124958) [Link]
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。