https://bugzilla.mindrot.org/show_bug.cgi?id=3869
--- Comment #2 from Brendan Hide <[email protected]> --- > If it is possible to load a certificate without the private key, then there > is no proof that the user loading the certificate has *access* to the private > key material that corresponds to that certificate. Perhaps I don't understand the security model well. If the agent has a certificate and the client tries to load a new one with a matching pubkey+signer/etc (and with a newer expiry date), I'm not sure it really matters that the client doesn't have access to the private key. As a parallel, cert issuers never have access to your private keys, only your public keys. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
