1. 5
  1.  

  2. 2

    I think this part of the design:

    The authorization is performed directly on the target host based on the user certificate content and the local host identity only. Not accessing external services makes it suitable for low dependency, last resort, SSH access.

    Is really interesting in that you can still login into a host that is unable to talk a central authority, e.g. an LDAP server, but you are still managing access centrally via the Certificate Authority.