[Bug 3869] Loading "only" an ssh certificate in ssh-agent with ssh-add unnecessarily loads the private key and always exits with an error even when successful
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Sep 29 17:55:08 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3869
--- Comment #2 from Brendan Hide <brendan at swiftspirit.co.za> ---
> If it is possible to load a certificate without the private key, then there is no proof that the user loading the certificate has *access* to the private key material that corresponds to that certificate.
Perhaps I don't understand the security model well. If the agent has a
certificate and the client tries to load a new one with a matching
pubkey+signer/etc (and with a newer expiry date), I'm not sure it
really matters that the client doesn't have access to the private key.
As a parallel, cert issuers never have access to your private keys,
only your public keys.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list