From owner-freebsd-current@FreeBSD.ORG Thu Nov 16 20:13:58 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A345516A415 for ; Thu, 16 Nov 2006 20:13:58 +0000 (UTC) (envelope-from nbender@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6ABD43DE6 for ; Thu, 16 Nov 2006 20:13:12 +0000 (GMT) (envelope-from nbender@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so736697nfc for ; Thu, 16 Nov 2006 12:12:59 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SYUegZr2V09Th0d+uTKMIG1QrFWGE81W3Da3C5QlI/bSVExfSsZt8DPVmDQrScW8OL0kRl7AUH/iODDHckS3/GeYUalwPwRAv+qlALhef1huVqscuhXlBMMnOsreIW0mR25lzpkIMe2breXL+qQxVyuyCeAoKlPMCJcH44T7Syo= Received: by 10.82.126.5 with SMTP id y5mr120857buc.1163707978565; Thu, 16 Nov 2006 12:12:58 -0800 (PST) Received: by 10.82.172.9 with HTTP; Thu, 16 Nov 2006 12:12:58 -0800 (PST) Message-ID: Date: Thu, 16 Nov 2006 15:12:58 -0500 From: "Nick Bender" To: tech@openbsd.org, openssh-unix-dev@mindrot.org, freebsd-current@freebsd.org In-Reply-To: <20061115142820.GB14649@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061115142820.GB14649@insomnia.benzedrine.cx> X-Mailman-Approved-At: Thu, 16 Nov 2006 20:30:44 +0000 Cc: Subject: Re: OpenSSH Certkey (PKI) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 20:13:58 -0000 > +SECURITY IMPLICATIONS > + > +The CA, specifically the holder of the CA private key (and its password, if it > +is password encrypted), holds broad control over hosts and user accounts set > +up in this way. Should the CA private key become compromised, all user > +accounts become compromised. > + > +There is no way to revoke a certificate once it has been published, the > +certificate is valid until it reaches the expiry date set by the CA. > + After spending a good part of a night locking down a network when an admin "left" this leaves me feeling cold. I think the addition of CAL gives you at least a prayer of addressing this in a timely manner. In the event that you need to reauthorize from the top: 1. Shutdown your CAL servers. 2. Generate and distribute new CA cert. 3. Generate and distribute new host certs. 4. Startup CAL servers. 5. Generate and distribute new user certs. Did I miss anything? The vulnerability window is now time from compromise to time of shutdown of CAL servers. Note that there is one other time where the same procedure is required but without the time pressure - at CA cert expiry time. I think the procedure should at least be included in the documentation if not supported in some way by software... -N