Re: OpenSSH certified keys

To: "Damien Miller" <djm%mindrot.org@localhost>
Subject: Re: OpenSSH certified keys
From: "denis bider \(Bitvise\)" <ietf-ssh2%denisbider.com@localhost>
Date: Tue, 16 Mar 2010 19:40:08 -0400

Damien,

> For OpenSSH, revocation is implemented as a simple list
> of banned keys. Since keys are the entity that is revoked
> and not certificates, and because there are no wire-side
> changes require for revocation, I don't really see it as
> part of this certificate specification.

does this list of banned keys need to be manually deployed to each 
server, or does OpenSSH support a protocol for retrieving this list 
remotely?

If the list of banned keys must be manually deployed, then this sounds 
worse than CRL. In this case, you're introducing a scheme which allows 
new keys to be added centrally, but requires manually updating the 
configuration of each server when keys are revoked.

On the other hand, if OpenSSH is capable of retrieving the list of 
banned keys periodically, then the protocol for doing so is of interest 
to other implementors as well. If one intends to interoperate with the 
OpenSSH certificate format, then one should certainly support retrieving 
the list of banned keys as well.

denis

----- Original Message ----- 
From: "Damien Miller" <djm%mindrot.org@localhost>
To: "denis bider \(Bitvise\)" <ietf-ssh2%denisbider.com@localhost>
Cc: "Nicolas Williams" <Nicolas.Williams%sun.com@localhost>; <ietf-ssh%NetBSD.org@localhost>
Sent: Tuesday, March 16, 2010 16:45
Subject: Re: OpenSSH certified keys

On Tue, 16 Mar 2010, denis bider \(Bitvise\) wrote:

> I second Nicolas's concern. Your spec doesn't even mention revocation.
> How is revocation handled? Are the keys expected to be certified only
> for a very short term?
>
> If certification is expected to be for only a very short term, are you
> putting an infrastructure in place that allows a client to obtain a
> fresh certificate before it connects?
>
> If you are putting such infrastructure in place, do you have a spec 
> for
> how the client obtains the fresh certificate?
>
> Otherwise, if you are planning for these certificates to be long-term,
> what is your solution for revocation?

For OpenSSH, revocation is implemented as a simple list of banned keys.
Since keys are the entity that is revoked and not certificates, and
because there are no wire-side changes require for revocation, I don't
really see it as part of this certificate specification.

-d

Follow-Ups:
- Re: OpenSSH certified keys
  - From: Damien Miller

References:
- OpenSSH certified keys
  - From: Damien Miller
- Re: OpenSSH certified keys
  - From: Nicolas Williams
- Re: OpenSSH certified keys
  - From: denis bider (Bitvise)
- Re: OpenSSH certified keys
  - From: Damien Miller

Prev by Date: Re: OpenSSH certified keys
Next by Date: Re: OpenSSH certified keys
Previous by Thread: Re: OpenSSH certified keys
Next by Thread: Re: OpenSSH certified keys
Indexes:

Home | Main Index | Thread Index | Old Index