[Bug 3204] Enable user-relative revoked keys files

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Dec 6 22:54:26 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3204

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
So the problem here is that RevokedKeys is a critical option, i.e. if
it is specified then the file must exist and parse successfully.

Enabling per-user revoked keys by reusing the same option but adding
~/, implicit home directories and/or %tokens wouldn't let us retain
this property as not every path expansion will have a krl present.

> Maintaining separate KRLs for each certificate authority is best-
> practice and enables fine-grained control (e.g. revoking the signature 
> of a particular key by a particular CA but still allowing that same key 
> to be used if it is also signed by a different authorized CA)

All this is achievable in authorized_keys. To revoke a specific
signature, @revoked the full certificate. To revoke a CA, @revoked the
CA key. To revoke a key, regardless of CA, @revoked its public key.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list