[SSL Observatory] SSL CA compromise in the wild

[Matt McCutchen]

On Wed, 2011-03-23 at 13:55 -0400, Steve Schultze wrote:
> On Mar 23, 2011, at 1:49 PM, Daniel Kahn Gillmor wrote:
> > Unless you use OpenSSH's new self-designed certificates;
> 
> reference?  I'm not sure what this means.

See the CERTIFICATES section of the ssh-keygen(1) man page.

One other method is to import known_hosts files from an external
integrity-protected source.  Of course, they should be constrained to
the appropriate domain.  I have written a tool to do this and am using
it for myself, but have not published it yet.

-- 
Matt