Date: Fri, 17 Nov 2006 12:02:37 -0800 From: "Wolfgang S. Rupprecht" <wolfgang+gnus200611@dailyplanet.dontspam.wsrcc.com> To: freebsd-current@freebsd.org Cc: tech@openbsd.org, openssh-unix-dev@mindrot.org Subject: Re: OpenSSH Certkey (PKI) Message-ID: <87ejs1c04i.fsf@arbol.wsrcc.com> References: <20061115142820.GB14649@insomnia.benzedrine.cx> <87odr8i53w.fsf@arbol.wsrcc.com> <20061116135627.GA26343@tortuga.leo.org> <87ac2rjqaf.fsf@arbol.wsrcc.com> <20061117132956.GB26343@tortuga.leo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Lang <dl@leo.org> writes: > In fact, it would mean, that you could abandon the authorized_keys > file, but you would still need an "authorized_users" file, that > would need to contain the DN (or a similar identifier) of the user > that matches the certificate. So not a lot is saved, but things > may become less transparent.... The advantage of splitting the authorization / authentication is it opens up the possibility of a single certificate being used to identify a user over quite a large range of non-cooperating organizations. That way a potential user can approach the system admin with their company-wide (or Internet-wide) certificate and the system admin can enter that certificate into the a user's list (or into the user's authorized_keys file etc). I'd much rather they use the whole certificate as the test instead of just the DN it contains. That way, the only aspect of the PKI they need to trust is that the key is strong enough to resist breaking. They don't really need to trust that the DN is their true name or that there won't be a DN name-clash a few months down the road. They just need to trust that the PKI works. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87ejs1c04i.fsf>