From owner-freebsd-current@FreeBSD.ORG Thu Nov 16 20:49:24 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C8B716A403 for ; Thu, 16 Nov 2006 20:49:24 +0000 (UTC) (envelope-from beck@bofh.cns.ualberta.ca) Received: from bofh.cns.ualberta.ca (bofh.cns.ualberta.ca [129.128.11.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 37C7643D4C for ; Thu, 16 Nov 2006 20:49:24 +0000 (GMT) (envelope-from beck@bofh.cns.ualberta.ca) Received: (qmail 31987 invoked from network); 16 Nov 2006 20:49:22 -0000 Received: from localhost (HELO bofh.cns.ualberta.ca) (127.0.0.1) by bofh.cns.ualberta.ca with SMTP; 16 Nov 2006 20:49:22 -0000 Received: (from beck@localhost) by bofh.cns.ualberta.ca (8.13.3/8.12.10/Submit) id kAGKnLFo018051; Thu, 16 Nov 2006 13:49:21 -0700 (MST) Date: Thu, 16 Nov 2006 13:49:21 -0700 From: Bob Beck To: Nick Bender Message-ID: <20061116204921.GX26418@bofh.cns.ualberta.ca> Mail-Followup-To: Nick Bender , tech@openbsd.org, openssh-unix-dev@mindrot.org, freebsd-current@freebsd.org References: <20061115142820.GB14649@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i X-Mailman-Approved-At: Thu, 16 Nov 2006 20:55:14 +0000 Cc: tech@openbsd.org, openssh-unix-dev@mindrot.org, freebsd-current@freebsd.org Subject: Re: OpenSSH Certkey (PKI) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 20:49:24 -0000 I would think it would be nice if "CAL" had a way of saying "these are the ones to be revoked" so no shutdown, just propagate the bad one - but I'm talking to daniel offline about it.. * Nick Bender [2006-11-16 13:23]: > >+SECURITY IMPLICATIONS > >+ > >+The CA, specifically the holder of the CA private key (and its password, > >if it > >+is password encrypted), holds broad control over hosts and user accounts > >set > >+up in this way. Should the CA private key become compromised, all user > >+accounts become compromised. > >+ > >+There is no way to revoke a certificate once it has been published, the > >+certificate is valid until it reaches the expiry date set by the CA. > >+ > > After spending a good part of a night locking down a network when an > admin "left" this leaves me feeling cold. > > I think the addition of CAL gives you at least a prayer of addressing > this in a timely manner. In the event that you need to reauthorize > from the top: > > 1. Shutdown your CAL servers. > 2. Generate and distribute new CA cert. > 3. Generate and distribute new host certs. > 4. Startup CAL servers. > 5. Generate and distribute new user certs. > > Did I miss anything? > > The vulnerability window is now time from compromise to time of shutdown > of CAL servers. > > Note that there is one other time where the same procedure is required > but without the time pressure - at CA cert expiry time. > > I think the procedure should at least be included in the documentation > if not supported in some way by software... > > -N > -- #!/usr/bin/perl if ((not 0 && not 1) != (! 0 && ! 1)) { print "Larry and Tom must smoke some really primo stuff...\n"; }