Daniel Hartmeier <daniel_at_benzedrine.cx> writes: > This patch against OpenBSD -current adds a simple form of PKI to > OpenSSH. We'll be using it at work. Sounds like something that was needed for a while. > +A host certificate is a guarantee made by the CA that a host public key is > +valid. When a host public key carries a valid certificate, the client can > +use the host public key without asking the user to confirm the fingerprint > +manually and through out-of-band communication the first time. The CA takes > +the responsibility of verifying host keys, and users do no longer need to > +maintain known_hosts files of their own. This confuses the whole authentication vs. authorization concepts. authentication - "May I please see your drivers license?" authorization - "That's a valid license but I don't see your name on the list to go in." I would hate to have my ssh allow anyone in just because we used the same CA. I still see the authorized_keys file as having a very important role even if the first layer defense is to check if the certificate is signed by a CA I trust. > +The CA, specifically the holder of the CA private key (and its password, if it > +is password encrypted), holds broad control over hosts and user accounts set > +up in this way. Should the CA private key become compromised, all user > +accounts become compromised. > + > +There is no way to revoke a certificate once it has been published, the > +certificate is valid until it reaches the expiry date set by the CA. This fix is in the bag once authorized_keys gets consulted even for certificates. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/Received on Thu Nov 16 2006 - 00:05:11 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:02 UTC