Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Nov 2006 21:16:13 +0100
From:      chefren <chefren@pi.net>
To:        Daniel Hartmeier <daniel@benzedrine.cx>
Cc:        Andre Oppermann <andre@freebsd.org>, markus@openbsd.org, freebsd-current@freebsd.org, beck@bofh.cns.ualberta.ca, tech@openbsd.org, openssh-unix-dev@mindrot.org
Subject:   Re: OpenSSH Certkey (PKI) adding CAL (online verification)
Message-ID:  <455CC70D.4010607@pi.net>
In-Reply-To: <20061116180141.GH14649@insomnia.benzedrine.cx>
References:  <20061115142820.GB14649@insomnia.benzedrine.cx> <455B29A4.3000601@freebsd.org> <20061115174747.GE26418@bofh.cns.ualberta.ca> <20061116180141.GH14649@insomnia.benzedrine.cx>

next in thread | previous in thread | raw e-mail | index | archive | help
On 11/16/06 19:01, Daniel Hartmeier wrote:
 > On Wed, Nov 15, 2006 at 10:47:47AM -0700, Bob Beck wrote:
 >
 >>So, My two cents, make it complete first. Making an archetecture
 >>for ssh that makes it easy to add trust centrally WITHOUT MAKING IT
 >>EASY TO REMOVE IT is irresponsible.
 >
 > Thank you for the rant ;)
 >
 > Here's the result. Adding a simple daemon that the OpenSSH servers
 > can query (over UDP port 22) to check user keys. See the first patch
 > chunk for details.
 >
 > Is this what you had in mind?
 >
 > Daniel

Gentlemen,

I fully agree with the concerns of Bob Beck and I'm happy with the 
attention of Daniel Hartmeier. And while everything is better than SSL...

The security and thus revocation should always be on, by default.

So it's a certificate system with off-line use of certificates with 
inherent bad revocation since you cannot revoke a certificate without 
being on-line with the authorizing server.

Or it should be an on-line (might of course be local) system where the 
authorizing server (and hopefully a well designed backup...) is at 
least always asked if access is OK at the beginning of a session 
(hopefully possible to limit with time or amount of traffic or packets 
or or... (but don't rebuild SSL!)).

Please drop the classic "off-line" PKI scheme and present us an 
elegant and robust on-line system.

+++chefren










Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?455CC70D.4010607>