Re: OpenSSH certified keys

To: "denis bider \\(Bitvise\\)" <ietf-ssh2%denisbider.com@localhost>
Subject: Re: OpenSSH certified keys
From: Damien Miller <djm%mindrot.org@localhost>
Date: Wed, 17 Mar 2010 07:45:24 +1100 (EST)

On Tue, 16 Mar 2010, denis bider \(Bitvise\) wrote:

> I second Nicolas's concern. Your spec doesn't even mention revocation. 
> How is revocation handled? Are the keys expected to be certified only 
> for a very short term?
> 
> If certification is expected to be for only a very short term, are you 
> putting an infrastructure in place that allows a client to obtain a 
> fresh certificate before it connects?
> 
> If you are putting such infrastructure in place, do you have a spec for 
> how the client obtains the fresh certificate?
> 
> Otherwise, if you are planning for these certificates to be long-term, 
> what is your solution for revocation?

For OpenSSH, revocation is implemented as a simple list of banned keys.
Since keys are the entity that is revoked and not certificates, and 
because there are no wire-side changes require for revocation, I don't
really see it as part of this certificate specification.

-d

Follow-Ups:
- Re: OpenSSH certified keys
  - From: denis bider (Bitvise)

References:
- OpenSSH certified keys
  - From: Damien Miller
- Re: OpenSSH certified keys
  - From: Nicolas Williams
- Re: OpenSSH certified keys
  - From: denis bider (Bitvise)

Prev by Date: Re: OpenSSH certified keys
Next by Date: Re: OpenSSH certified keys
Previous by Thread: Re: OpenSSH certified keys
Next by Thread: Re: OpenSSH certified keys
Indexes:

Home | Main Index | Thread Index | Old Index