From owner-freebsd-current@FreeBSD.ORG Fri Nov 17 13:29:58 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D8A516A403 for ; Fri, 17 Nov 2006 13:29:58 +0000 (UTC) (envelope-from dl@leo.org) Received: from tortuga.leo.org (tortuga.leo.org [83.220.155.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id D37D743D46 for ; Fri, 17 Nov 2006 13:29:57 +0000 (GMT) (envelope-from dl@leo.org) Received: by tortuga.leo.org (Postfix, from userid 1000) id 923B2E09BE; Fri, 17 Nov 2006 14:29:56 +0100 (CET) Date: Fri, 17 Nov 2006 14:29:56 +0100 From: Daniel Lang To: "Wolfgang S. Rupprecht" Message-ID: <20061117132956.GB26343@tortuga.leo.org> References: <20061115142820.GB14649@insomnia.benzedrine.cx> <87odr8i53w.fsf@arbol.wsrcc.com> <20061116135627.GA26343@tortuga.leo.org> <87ac2rjqaf.fsf@arbol.wsrcc.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87ac2rjqaf.fsf@arbol.wsrcc.com> X-Geek: GCS/CC d-- s: a C++$ UBS++++$ P+++$ L- E-(---) W+++(--) N++ o K w--- O? M? V? PS+(++) PE--(+) Y+ PGP+ t++ 5+++ X R+(-) tv+ b+ DI++ D++ G++ e+++ h---(-) r+++ y+++ User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-current@freebsd.org, openssh-unix-dev@mindrot.org, tech@openbsd.org Subject: Re: OpenSSH Certkey (PKI) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Nov 2006 13:29:58 -0000 Hi, Wolfgang S. Rupprecht wrote on Thu, Nov 16, 2006 at 08:43:20AM -0800: [..] > Oops. I quoted the wrong section. I had meant to quote the section > about the user_certificates. This is what I meant to cite: > > +A user certificate is an authorization made by the CA that the > +holder of a specific private key may login to the server as a > +specific user, without the need of an authorized_keys file being > +present. The CA gains the power to grant individual users access > +to the server, and users do no longer need to maintain > +authorized_keys files of their own. > > I don't see a problem with the host certificates methodology. (In > fact I'd love to see the known_hosts files fade away as more hosts > transition to using host certificates.) Ok, I see. A user certificate just means that the user is authenticated, so I agree that the difference between authentication and authorisation can be mixed up here and becomes blurred. In fact, it would mean, that you could abandon the authorized_keys file, but you would still need an "authorized_users" file, that would need to contain the DN (or a similar identifier) of the user that matches the certificate. So not a lot is saved, but things may become less transparent.... Cheers, Daniel