Date: Thu, 16 Nov 2006 13:49:21 -0700 From: Bob Beck <beck@bofh.cns.ualberta.ca> To: Nick Bender <nbender@gmail.com> Cc: tech@openbsd.org, openssh-unix-dev@mindrot.org, freebsd-current@freebsd.org Subject: Re: OpenSSH Certkey (PKI) Message-ID: <20061116204921.GX26418@bofh.cns.ualberta.ca> In-Reply-To: <bf04f2850611161212t439d5ce4r59a8bb1fa3cf24@mail.gmail.com> References: <20061115142820.GB14649@insomnia.benzedrine.cx> <bf04f2850611161212t439d5ce4r59a8bb1fa3cf24@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I would think it would be nice if "CAL" had a way of
saying "these are the ones to be revoked" so no shutdown, just
propagate the bad one - but I'm talking to daniel offline about it..
* Nick Bender <nbender@gmail.com> [2006-11-16 13:23]:
> >+SECURITY IMPLICATIONS
> >+
> >+The CA, specifically the holder of the CA private key (and its password,
> >if it
> >+is password encrypted), holds broad control over hosts and user accounts
> >set
> >+up in this way. Should the CA private key become compromised, all user
> >+accounts become compromised.
> >+
> >+There is no way to revoke a certificate once it has been published, the
> >+certificate is valid until it reaches the expiry date set by the CA.
> >+
>
> After spending a good part of a night locking down a network when an
> admin "left" this leaves me feeling cold.
>
> I think the addition of CAL gives you at least a prayer of addressing
> this in a timely manner. In the event that you need to reauthorize
> from the top:
>
> 1. Shutdown your CAL servers.
> 2. Generate and distribute new CA cert.
> 3. Generate and distribute new host certs.
> 4. Startup CAL servers.
> 5. Generate and distribute new user certs.
>
> Did I miss anything?
>
> The vulnerability window is now time from compromise to time of shutdown
> of CAL servers.
>
> Note that there is one other time where the same procedure is required
> but without the time pressure - at CA cert expiry time.
>
> I think the procedure should at least be included in the documentation
> if not supported in some way by software...
>
> -N
>
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061116204921.GX26418>