OpenSSH Certkey (PKI) adding CAL (online verification)
chefren
chefren at pi.net
Thu Nov 16 12:17:16 PST 2006
On 11/16/06 19:01, Daniel Hartmeier wrote:
> On Wed, Nov 15, 2006 at 10:47:47AM -0700, Bob Beck wrote:
>
>>So, My two cents, make it complete first. Making an archetecture
>>for ssh that makes it easy to add trust centrally WITHOUT MAKING IT
>>EASY TO REMOVE IT is irresponsible.
>
> Thank you for the rant ;)
>
> Here's the result. Adding a simple daemon that the OpenSSH servers
> can query (over UDP port 22) to check user keys. See the first patch
> chunk for details.
>
> Is this what you had in mind?
>
> Daniel
Gentlemen,
I fully agree with the concerns of Bob Beck and I'm happy with the
attention of Daniel Hartmeier. And while everything is better than SSL...
The security and thus revocation should always be on, by default.
So it's a certificate system with off-line use of certificates with
inherent bad revocation since you cannot revoke a certificate without
being on-line with the authorizing server.
Or it should be an on-line (might of course be local) system where the
authorizing server (and hopefully a well designed backup...) is at
least always asked if access is OK at the beginning of a session
(hopefully possible to limit with time or amount of traffic or packets
or or... (but don't rebuild SSL!)).
Please drop the classic "off-line" PKI scheme and present us an
elegant and robust on-line system.
+++chefren
More information about the freebsd-current
mailing list