Hi, Wolfgang S. Rupprecht wrote on Thu, Nov 16, 2006 at 08:43:20AM -0800: [..] > Oops. I quoted the wrong section. I had meant to quote the section > about the user_certificates. This is what I meant to cite: > > +A user certificate is an authorization made by the CA that the > +holder of a specific private key may login to the server as a > +specific user, without the need of an authorized_keys file being > +present. The CA gains the power to grant individual users access > +to the server, and users do no longer need to maintain > +authorized_keys files of their own. > > I don't see a problem with the host certificates methodology. (In > fact I'd love to see the known_hosts files fade away as more hosts > transition to using host certificates.) Ok, I see. A user certificate just means that the user is authenticated, so I agree that the difference between authentication and authorisation can be mixed up here and becomes blurred. In fact, it would mean, that you could abandon the authorized_keys file, but you would still need an "authorized_users" file, that would need to contain the DN (or a similar identifier) of the user that matches the certificate. So not a lot is saved, but things may become less transparent.... Cheers, DanielReceived on Fri Nov 17 2006 - 12:29:58 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:02 UTC