SSH CAs improve efficiency and convenience.

A hardware key that requires touch per login is a game-changer. When you go do lunch you know that your key did nothing, no matter how compromised your workstation is. When your machine is turned off you know that there's no copy of the key somewhere. That key cannot be used.

A software cert-based key may be valid for only hours (if you set it up that way), but that means that there are 7 billion possible attackers who could use your key. They could break into your workstation and wait for the screensaver to kick in, and then log in to every single host you have access to, and do their naughty business.

For a hardware key someone has to take a plane from China and break into your house to use your key.

> It's still a long-held credential

Doesn't have to be. But if it is, so what? Given physical locks that are unpickable and keys uncopyable, would you rather instead change locks every day, where the keys are copyable? (even if cost of changing locks scales O(1) with price)

> that long-held key can even live on a Yubikey if you use U2F/WebAuthn

Like I said, one does not exclude the other. You can't prove that A is better than B by saying A+B is better than B.

There's also devices that don't support SSH certificates (e.g. embedded devices), but supporting pubkeys is vastly more common.

One of the servers I've had the misfortune of using responds to even proposed public key auth by failing all subsequent authentication on that connection. So you need to immediately do password auth if you want to get in. Brilliant.

I presume the WG specifically wanted to see SSH with public keys deployed widely rather than a world where most places upgrade from telnet to SSH with passwords and think that's the job done.

Yeah, but even if the sshd supports it that doesn't mean that the product has a way to configure it. There may be no non-volatile space for a pubkey.

I have encountered it, but yeah it's rare.