Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Nov 2006 16:50:52 -0500
From:      Stephen Frost <sfrost@snowman.net>
To:        Daniel Hartmeier <daniel@benzedrine.cx>
Cc:        tech@openbsd.org, openssh-unix-dev@mindrot.org, markus@openbsd.org, freebsd-current@freebsd.org
Subject:   Re: OpenSSH Certkey (PKI)
Message-ID:  <20061116215052.GI24675@kenobi.snowman.net>
In-Reply-To: <20061115142820.GB14649@insomnia.benzedrine.cx>
References:  <20061115142820.GB14649@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help 

--vuSKPN9Gaa4EcW8B
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Greetings,

Overall I'd like to see OpenSSH support PKI in addition to the existing
methods.  I'm more keen on it being used for host authentication than
for user certificates, personally.  I did want to comment on this
though:

* Daniel Hartmeier (daniel@benzedrine.cx) wrote:
> +Certkey does not involve online verfication, the CA is not contacted by either
> +client or server. Instead, the CA generates certificates which are (once)
> +distributed to hosts and users. Any subsequent logins take place without the
> +involvment of the CA, based solely on the certificates provided between client
> +and server.

Would you consider adding support for OCSP?  I saw alot of
discussion regarding CRLs (and some of their rather well known
downsides) but only once saw mention of OCSP, and that with no response.
While CRLs are useful in some circumstances I believe OCSP is generally
a better approach.  Ideally, both would be supported.  If I had to pick
one I'd rather see OCSP than CRL support though.

	Thanks,

		Stephen

--vuSKPN9Gaa4EcW8B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFXN08rzgMPqB3kigRAuUEAJ9z/iOdxkg9bcIYlY1mpSsjJNuyMwCgmr11
wPK2LW0p+dvGNFv0kC9pb3w=
=3xzk
-----END PGP SIGNATURE-----

--vuSKPN9Gaa4EcW8B--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061116215052.GI24675>