OpenSSH Certkey (PKI)

Brian Keefer chort at
Thu Nov 16 05:45:49 EST 2006

On Nov 15, 2006, at 9:47 AM, Bob Beck wrote:

> 	In other words, I have to maintain a pre-populated "un-authorized"
> keys file  because in any real deployment you are GOING to have these.
> and quite frequently with any sizable deployment. So I still have
> to maintain a file.
> 	"authorized keys" -> anything that is not allowed is denied.
> 	"un-authorized keys" -> anything that is not denied is allowed.
> 	NOT being prepared to maintain a file when doing this
> is pretty much akin to "Don't worry, I'll pull out before I cum".  
> Everything's
> great until there a problem and then it's a fuckshow.
> 	Don't get me wrong, I think this is possibly useful, but I don't
> think it should go in incomplete like this. In my view it is complete
> where when turning it on you specify a set of (possibly other) ssh
> server(s) the server itself will connect to and use as a CRL when
> presented with a key. - i.e. we should make it decently doable and
> document how to use a CRL in this case.
> 	-Bob

That sounds very much like OCSP.  The objections to CRL distribution  
style revocation are pretty valid, IMO.

Brian Keefer
"The Experts in Secure Internet Communication"

More information about the openssh-unix-dev mailing list