> > Implementation of SFTP doesn't require certificate management > > infrastructure and expensive certificates from external organizations. > > Ssh is also open source and freely distributed; few if any FTPS clients > > or servers are. > > No certificate management? Feh. You are responsible to adhere to your > company's policy regarding certificates. Old or ill-managed certificates > are just as dangerous as old or ill-managed passwords.
No argument there -- opportunities for stupidity are as ubiquitous as FORTRAN-like coding styles. Alan Ackerman asked why SSH and SFTP are so successful in the Unix world. SSH doesn't *require* a CA or other certificate management widgets *at all*. It doesn't *require* distribution of certificates before it can be useful. It doesn't *require* generation of certificates by anyone. It doesn't *require* paying for individual host certificates for every host you want to secure. It doesn't *require* figuring out what approved vendors are in the default root certificate list on operating system X, Y or Z and how to integrate your certificate into that infrastructure if it's not included. It doesn't cost anything per year to get started. It "Just Works" out of the box. And it's preloaded in most places that Unix weenies care about -- even on VMS and newer versions of Windows. How many pages of documentation does it require to explain the setup of SSLSERV, or even to understand what's happening in it? How much is the cheapest enterprise-wise certificate from a company in the default Windows root CA list? The defense rests. Don't get me wrong -- there are places for both. The above is why you don't find FTPS and SSL-wrapped TELNET widely used in the Unix community. Too many moving parts and other stuff needed to get started.
