Re: OpenSSH Certkey (PKI)

From: Bob Beck <beck_at_bofh.cns.ualberta.ca>
Date: Thu, 16 Nov 2006 13:49:21 -0700
	I would think it would be nice if "CAL" had a way of
saying "these are the ones to be revoked" so no shutdown, just
propagate the bad one - but I'm talking to daniel offline about it..


* Nick Bender <nbender_at_gmail.com> [2006-11-16 13:23]:
> >+SECURITY IMPLICATIONS
> >+
> >+The CA, specifically the holder of the CA private key (and its password, 
> >if it
> >+is password encrypted), holds broad control over hosts and user accounts 
> >set
> >+up in this way. Should the CA private key become compromised, all user
> >+accounts become compromised.
> >+
> >+There is no way to revoke a certificate once it has been published, the
> >+certificate is valid until it reaches the expiry date set by the CA.
> >+
> 
> After spending a good part of a night locking down a network when an
> admin "left" this leaves me feeling cold.
> 
> I think the addition of CAL gives you at least a prayer of addressing
> this in a timely manner. In the event that you need to reauthorize
> from the top:
> 
> 1. Shutdown your CAL servers.
> 2. Generate and distribute new CA cert.
> 3. Generate and distribute new host certs.
> 4. Startup CAL servers.
> 5. Generate and distribute new user certs.
> 
> Did I miss anything?
> 
> The vulnerability window is now time from compromise to time of shutdown
> of CAL servers.
> 
> Note that there is one other time where the same procedure is required
> but without the time pressure - at CA cert expiry time.
> 
> I think the procedure should at least be included in the documentation
> if not supported in some way by software...
> 
> -N
> 

-- 
#!/usr/bin/perl
if ((not 0 && not 1) !=  (! 0 && ! 1)) {
   print "Larry and Tom must smoke some really primo stuff...\n"; 
}
Received on Thu Nov 16 2006 - 19:49:24 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:02 UTC