From owner-freebsd-current@FreeBSD.ORG Thu Nov 16 20:17:15 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECD5F16A47E for ; Thu, 16 Nov 2006 20:17:15 +0000 (UTC) (envelope-from chefren@pi.net) Received: from smtp-vbr11.xs4all.nl (smtp-vbr11.xs4all.nl [194.109.24.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 282CA43DCF for ; Thu, 16 Nov 2006 20:16:48 +0000 (GMT) (envelope-from chefren@pi.net) Received: from [192.168.0.58] (lida.ii.nl [195.64.88.137]) (authenticated bits=0) by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with ESMTP id kAGKGE9f070275; Thu, 16 Nov 2006 21:16:15 +0100 (CET) (envelope-from chefren@pi.net) Message-ID: <455CC70D.4010607@pi.net> Date: Thu, 16 Nov 2006 21:16:13 +0100 From: chefren User-Agent: Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.7.12) Gecko/20060301 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Hartmeier References: <20061115142820.GB14649@insomnia.benzedrine.cx> <455B29A4.3000601@freebsd.org> <20061115174747.GE26418@bofh.cns.ualberta.ca> <20061116180141.GH14649@insomnia.benzedrine.cx> In-Reply-To: <20061116180141.GH14649@insomnia.benzedrine.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by XS4ALL Virus Scanner X-Mailman-Approved-At: Thu, 16 Nov 2006 20:31:17 +0000 Cc: Andre Oppermann , markus@openbsd.org, freebsd-current@freebsd.org, beck@bofh.cns.ualberta.ca, tech@openbsd.org, openssh-unix-dev@mindrot.org Subject: Re: OpenSSH Certkey (PKI) adding CAL (online verification) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 20:17:16 -0000 On 11/16/06 19:01, Daniel Hartmeier wrote: > On Wed, Nov 15, 2006 at 10:47:47AM -0700, Bob Beck wrote: > >>So, My two cents, make it complete first. Making an archetecture >>for ssh that makes it easy to add trust centrally WITHOUT MAKING IT >>EASY TO REMOVE IT is irresponsible. > > Thank you for the rant ;) > > Here's the result. Adding a simple daemon that the OpenSSH servers > can query (over UDP port 22) to check user keys. See the first patch > chunk for details. > > Is this what you had in mind? > > Daniel Gentlemen, I fully agree with the concerns of Bob Beck and I'm happy with the attention of Daniel Hartmeier. And while everything is better than SSL... The security and thus revocation should always be on, by default. So it's a certificate system with off-line use of certificates with inherent bad revocation since you cannot revoke a certificate without being on-line with the authorizing server. Or it should be an on-line (might of course be local) system where the authorizing server (and hopefully a well designed backup...) is at least always asked if access is OK at the beginning of a session (hopefully possible to limit with time or amount of traffic or packets or or... (but don't rebuild SSL!)). Please drop the classic "off-line" PKI scheme and present us an elegant and robust on-line system. +++chefren