From owner-freebsd-current@FreeBSD.ORG Thu Nov 16 21:52:10 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BBB416A49E for ; Thu, 16 Nov 2006 21:52:10 +0000 (UTC) (envelope-from sfrost@kenobi.snowman.net) Received: from kenobi.snowman.net (kenobi.snowman.net [70.84.9.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B0DB43D72 for ; Thu, 16 Nov 2006 21:50:53 +0000 (GMT) (envelope-from sfrost@kenobi.snowman.net) Received: by kenobi.snowman.net (Postfix, from userid 1000) id DA4025804C; Thu, 16 Nov 2006 15:50:52 -0600 (CST) Date: Thu, 16 Nov 2006 16:50:52 -0500 From: Stephen Frost To: Daniel Hartmeier Message-ID: <20061116215052.GI24675@kenobi.snowman.net> Mail-Followup-To: Daniel Hartmeier , tech@openbsd.org, freebsd-current@freebsd.org, openssh-unix-dev@mindrot.org, markus@openbsd.org References: <20061115142820.GB14649@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vuSKPN9Gaa4EcW8B" Content-Disposition: inline In-Reply-To: <20061115142820.GB14649@insomnia.benzedrine.cx> X-Editor: Vim http://www.vim.org/ X-Info: http://www.snowman.net X-Operating-System: Linux/2.6.16-2-vserver-686 (i686) X-Uptime: 16:43:51 up 59 days, 21:53, 24 users, load average: 0.62, 0.63, 0.55 User-Agent: Mutt/1.5.13 (2006-08-11) X-Mailman-Approved-At: Fri, 17 Nov 2006 01:01:33 +0000 Cc: tech@openbsd.org, openssh-unix-dev@mindrot.org, markus@openbsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH Certkey (PKI) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 21:52:10 -0000 --vuSKPN9Gaa4EcW8B Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Greetings, Overall I'd like to see OpenSSH support PKI in addition to the existing methods. I'm more keen on it being used for host authentication than for user certificates, personally. I did want to comment on this though: * Daniel Hartmeier (daniel@benzedrine.cx) wrote: > +Certkey does not involve online verfication, the CA is not contacted by either > +client or server. Instead, the CA generates certificates which are (once) > +distributed to hosts and users. Any subsequent logins take place without the > +involvment of the CA, based solely on the certificates provided between client > +and server. Would you consider adding support for OCSP? I saw alot of discussion regarding CRLs (and some of their rather well known downsides) but only once saw mention of OCSP, and that with no response. While CRLs are useful in some circumstances I believe OCSP is generally a better approach. Ideally, both would be supported. If I had to pick one I'd rather see OCSP than CRL support though. Thanks, Stephen --vuSKPN9Gaa4EcW8B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFXN08rzgMPqB3kigRAuUEAJ9z/iOdxkg9bcIYlY1mpSsjJNuyMwCgmr11 wPK2LW0p+dvGNFv0kC9pb3w= =3xzk -----END PGP SIGNATURE----- --vuSKPN9Gaa4EcW8B--