- * This patch is significantly old; it doesn't appear to have been
- maintained beyond OpenSSH 3.6p1. As of this writing, OpenSSH is on
- version 5.1p1.
-
- * It requires patching OpenSSH.
+ * This patch is old; it doesn't appear to have been maintained beyond
+ OpenSSH 3.6p1. As of this writing, OpenSSH 5.1p1 is current.
+
+ * It only provides infrastructure in one direction: the user
+ authenticating the host by name. There doesn't seem to be a
+ mechanism for dealing with identifying users by name, or allowing
+ users to globally revoke or update keys.
+
+ * The choice of User ID (`anything goes here (and here!)
+ <ssh@foo.example.net>`) for host keys overlaps with the current use
+ of the User ID space. While it's unlikely that someone actually
+ uses this e-mail address in the web of trust, it would be a nasty
+ collision, as the holder of that key could impersonate the server
+ in question. The monkeysphere uses [User IDs of the form
+ `ssh://foo.example.net`](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/)
+ to avoid collisions with existing use.
+
+ * It's not clear that `openssh-gpg` acknowledges or respects the
+ [usage flags](http://tools.ietf.org/html/rfc4880#section-5.2.3.21)
+ on the host keys. This means that it could accept a "sign-only"
+ key as suitable for authenticating a host, despite the
+ clearly-marked intentions of the key-holder.