I have a question about the key blacklist feature in this new release. What if ssh-keygen is run, and happens to generate a blacklisted key. Will it abort or print a warning or something like that? Should it? If ssh-keygen generates such a key today, openssl is broken. But if it happens a couple of years from now, you're probably just astronomically unlucky and the fixed openssl happened to still generate a key in the small set of weak keys. And in that hypothetical, the user probably doesn't know anything about what happened historically (today) and could be very puzzled that their shiny new key doesn't work. -- see shy jo
Attachment:
signature.asc
Description: Digital signature