+ * X.509 certificates can identify hosts by name, but not by
+ individual service. This means that a compromised web or e-mail
+ server with access to the X.509 key for that service could re-use
+ its certificate as an SSH server, and it would be able to
+ masquerade successfully.
+
+ The monkeysphere uses [User IDs of the form
+ `ssh://foo.example.net`](http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/),
+ so they are not by-default shared across services on the same host
+ (you can still share a key across services on the same host if you
+ like, but the service User IDs can be certified independently of
+ one another).