From owner-freebsd-current@FreeBSD.ORG Fri Nov 17 13:10:03 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F19E316A412 for ; Fri, 17 Nov 2006 13:10:03 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F03643D45 for ; Fri, 17 Nov 2006 13:10:00 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 48232 invoked from network); 17 Nov 2006 13:02:08 -0000 Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 17 Nov 2006 13:02:08 -0000 Message-ID: <455DB4A7.60200@freebsd.org> Date: Fri, 17 Nov 2006 14:09:59 +0100 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b) Gecko/20050217 MIME-Version: 1.0 To: Stephen Frost References: <20061115142820.GB14649@insomnia.benzedrine.cx> <20061116215052.GI24675@kenobi.snowman.net> In-Reply-To: <20061116215052.GI24675@kenobi.snowman.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Daniel Hartmeier , tech@openbsd.org, openssh-unix-dev@mindrot.org, markus@openbsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH Certkey (PKI) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Nov 2006 13:10:04 -0000 Stephen Frost wrote: > Greetings, > > Overall I'd like to see OpenSSH support PKI in addition to the existing > methods. I'm more keen on it being used for host authentication than > for user certificates, personally. I did want to comment on this > though: Like I said in another email the PKI support for host authentication is separate from accepting certificates for user authentication/authorization. > * Daniel Hartmeier (daniel@benzedrine.cx) wrote: > >>+Certkey does not involve online verfication, the CA is not contacted by either >>+client or server. Instead, the CA generates certificates which are (once) >>+distributed to hosts and users. Any subsequent logins take place without the >>+involvment of the CA, based solely on the certificates provided between client >>+and server. > > > Would you consider adding support for OCSP? I saw alot of > discussion regarding CRLs (and some of their rather well known > downsides) but only once saw mention of OCSP, and that with no response. > While CRLs are useful in some circumstances I believe OCSP is generally > a better approach. Ideally, both would be supported. If I had to pick > one I'd rather see OCSP than CRL support though. Nothing precludes an OCSP implementation and it can be easily inserted should someone write it. We don't do it because the goal of our OpenSSH PKI is to be completely self-contained w/o any external dependencies. Working right out of the box with minimal configuration effort. Only security that is easy to use will get used in a safe way. -- Andre