[Bug 3204] Enable user-relative revoked keys files
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Dec 6 22:54:26 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3204
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
So the problem here is that RevokedKeys is a critical option, i.e. if
it is specified then the file must exist and parse successfully.
Enabling per-user revoked keys by reusing the same option but adding
~/, implicit home directories and/or %tokens wouldn't let us retain
this property as not every path expansion will have a krl present.
> Maintaining separate KRLs for each certificate authority is best-
> practice and enables fine-grained control (e.g. revoking the signature
> of a particular key by a particular CA but still allowing that same key
> to be used if it is also signed by a different authorized CA)
All this is achievable in authorized_keys. To revoke a specific
signature, @revoked the full certificate. To revoke a CA, @revoked the
CA key. To revoke a key, regardless of CA, @revoked its public key.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list