Date: Wed, 15 Nov 2006 16:53:55 -0800 From: "Wolfgang S. Rupprecht" <wolfgang+gnus200611@dailyplanet.dontspam.wsrcc.com> To: freebsd-current@freebsd.org Cc: tech@openbsd.org, openssh-unix-dev@mindrot.org, freebsd-current@freebsd.org Subject: Re: OpenSSH Certkey (PKI) Message-ID: <87odr8i53w.fsf@arbol.wsrcc.com> References: <20061115142820.GB14649@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Hartmeier <daniel@benzedrine.cx> writes:
> This patch against OpenBSD -current adds a simple form of PKI to
> OpenSSH. We'll be using it at work.
Sounds like something that was needed for a while.
> +A host certificate is a guarantee made by the CA that a host public key is
> +valid. When a host public key carries a valid certificate, the client can
> +use the host public key without asking the user to confirm the fingerprint
> +manually and through out-of-band communication the first time. The CA takes
> +the responsibility of verifying host keys, and users do no longer need to
> +maintain known_hosts files of their own.
This confuses the whole authentication vs. authorization concepts.
authentication - "May I please see your drivers license?"
authorization - "That's a valid license but I don't see your name on
the list to go in."
I would hate to have my ssh allow anyone in just because we used the
same CA. I still see the authorized_keys file as having a very
important role even if the first layer defense is to check if the
certificate is signed by a CA I trust.
> +The CA, specifically the holder of the CA private key (and its password, if it
> +is password encrypted), holds broad control over hosts and user accounts set
> +up in this way. Should the CA private key become compromised, all user
> +accounts become compromised.
> +
> +There is no way to revoke a certificate once it has been published, the
> +certificate is valid until it reaches the expiry date set by the CA.
This fix is in the bag once authorized_keys gets consulted even for
certificates.
-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87odr8i53w.fsf>