OpenSSH Certkey (PKI)

Andre Oppermann andre at
Thu Nov 16 09:38:58 EST 2006

Brian Keefer wrote:
> On Nov 15, 2006, at 9:47 AM, Bob Beck wrote:
>>     In other words, I have to maintain a pre-populated "un-authorized"
>> keys file  because in any real deployment you are GOING to have these.
>> and quite frequently with any sizable deployment. So I still have
>> to maintain a file.
>>     "authorized keys" -> anything that is not allowed is denied.
>>     "un-authorized keys" -> anything that is not denied is allowed.
>>     NOT being prepared to maintain a file when doing this
>> is pretty much akin to "Don't worry, I'll pull out before I cum". 
>> Everything's
>> great until there a problem and then it's a fuckshow.
> <snip>
>>     Don't get me wrong, I think this is possibly useful, but I don't
>> think it should go in incomplete like this. In my view it is complete
>> where when turning it on you specify a set of (possibly other) ssh
>> server(s) the server itself will connect to and use as a CRL when
>> presented with a key. - i.e. we should make it decently doable and
>> document how to use a CRL in this case.
> <snip>
>>     -Bob
> That sounds very much like OCSP.  The objections to CRL distribution 
> style revocation are pretty valid, IMO.

Mind you we (OpenSSH) provide tools, not policy.  The tools however
should easily accommodate the largest subset of sound policies.  There
are enough valid cases and policies where a simple blacklist is sufficient.

As per reply to Bob we will provide an automatic system for live CERT
validation too.


More information about the openssh-unix-dev mailing list