Leroy Tennison wrote:
If sftp uses keys instead of certificates, what kind of keys are used
and why can't they take advantage of chains of trust? If this
statement isn't true please explain what's wrong with it.
SFTP uses SSH keys, which are generated completely by the client, not a
certificate authority. Chains of trust don't apply because there is no
third party involved.
The other question concerns "SFTP clients must install keys on the
server". (Again, if this is true) What are they talking about? I've
done some reading in the SSH RFCs and, as best as I can tell, the
client is the one accepting and verifying the server key (I'm not so
sure I have a firm grasp on all that the RFCs are saying). If this is
true why are clients installing keys on the server?
The client's public key is installed on the server so that the server
knows which clients are allowed to connect to it.
