Re: OpenSSH certified keys

[Damien Miller <djm%mindrot.org@localhost>]

On Tue, 16 Mar 2010, denis bider \(Bitvise\) wrote:

> Damien,
> 
> > For OpenSSH, revocation is implemented as a simple list
> > of banned keys. Since keys are the entity that is revoked
> > and not certificates, and because there are no wire-side
> > changes require for revocation, I don't really see it as
> > part of this certificate specification.
> 
> does this list of banned keys need to be manually deployed to each 
> server, or does OpenSSH support a protocol for retrieving this list 
> remotely?
> 
> If the list of banned keys must be manually deployed, then this sounds 
> worse than CRL. In this case, you're introducing a scheme which allows 
> new keys to be added centrally, but requires manually updating the 
> configuration of each server when keys are revoked.
>
> On the other hand, if OpenSSH is capable of retrieving the list of 
> banned keys periodically, then the protocol for doing so is of interest 
> to other implementors as well. If one intends to interoperate with the 
> OpenSSH certificate format, then one should certainly support retrieving 
> the list of banned keys as well.

The list of revoked keys is just a file on disk and OpenSSH implements
no special means to update it (so far). We could define some distribution
service or an online protocol to lookup key revocation status, possibly
as a SSH subsystem.

-d