From owner-freebsd-current@FreeBSD.ORG Fri Nov 17 20:02:57 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C41916A403 for ; Fri, 17 Nov 2006 20:02:57 +0000 (UTC) (envelope-from freebsd-current@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDC8743D46 for ; Fri, 17 Nov 2006 20:02:54 +0000 (GMT) (envelope-from freebsd-current@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1Gl9vJ-0001ZD-QO for freebsd-current@freebsd.org; Fri, 17 Nov 2006 21:02:53 +0100 Received: from wsrcc-nat.wsrcc.com ([64.142.50.231]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Nov 2006 21:02:53 +0100 Received: from wolfgang+gnus200611 by wsrcc-nat.wsrcc.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 17 Nov 2006 21:02:53 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-current@freebsd.org From: "Wolfgang S. Rupprecht" Date: Fri, 17 Nov 2006 12:02:37 -0800 Organization: W S Rupprecht Computer Consulting, Fremont CA Lines: 26 Message-ID: <87ejs1c04i.fsf@arbol.wsrcc.com> References: <20061115142820.GB14649@insomnia.benzedrine.cx> <87odr8i53w.fsf@arbol.wsrcc.com> <20061116135627.GA26343@tortuga.leo.org> <87ac2rjqaf.fsf@arbol.wsrcc.com> <20061117132956.GB26343@tortuga.leo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: wsrcc-nat.wsrcc.com X-WSRCC: User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) Cancel-Lock: sha1:BV3CzN4WulsdSA42AUxq1mZaqGI= Sender: news X-Mailman-Approved-At: Fri, 17 Nov 2006 20:56:41 +0000 Cc: tech@openbsd.org, openssh-unix-dev@mindrot.org Subject: Re: OpenSSH Certkey (PKI) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Nov 2006 20:02:57 -0000 Daniel Lang writes: > In fact, it would mean, that you could abandon the authorized_keys > file, but you would still need an "authorized_users" file, that > would need to contain the DN (or a similar identifier) of the user > that matches the certificate. So not a lot is saved, but things > may become less transparent.... The advantage of splitting the authorization / authentication is it opens up the possibility of a single certificate being used to identify a user over quite a large range of non-cooperating organizations. That way a potential user can approach the system admin with their company-wide (or Internet-wide) certificate and the system admin can enter that certificate into the a user's list (or into the user's authorized_keys file etc). I'd much rather they use the whole certificate as the test instead of just the DN it contains. That way, the only aspect of the PKI they need to trust is that the key is strong enough to resist breaking. They don't really need to trust that the DN is their true name or that there won't be a DN name-clash a few months down the road. They just need to trust that the PKI works. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/