

OpenSSH now supports certified/signed keys for users and hosts - there
http://marc.info/?l=openbsd-cvs&m=126721648405075&w=2

======
hannibalhorn
Good to have the option, I know I'd prefer it to distributing and maintaining
a known_hosts file to a whole network.

That said, I really prefer the idea of using DNSSEC with SSHFP records to CA
infrastructure, but that's obviously not as feasible with VPSs / EC2 and the
like. Revocation is certainly more straightforward.

