Leroy Tennison wrote:
> If sftp uses keys instead of certificates, what kind of keys are used
> and why can't they take advantage of chains of trust? If this
> statement isn't true please explain what's wrong with it.

SFTP uses SSH keys, which are generated completely by the client, not a
certificate authority. Chains of trust don't apply because there is no
third party involved.
> The other question concerns "SFTP clients must install keys on the
> server". (Again, if this is true) What are they talking about? I've
> done some reading in the SSH RFCs and, as best as I can tell, the
> client is the one accepting and verifying the server key (I'm not so
> sure I have a firm grasp on all that the RFCs are saying). If this is
> true why are clients installing keys on the server?

The client's public key is installed on the server so that the server
knows which clients are allowed to connect to it.