HostKey Management
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Jan 17 12:06:23 EST 2013
On 01/16/2013 10:40 AM, Mike Kelly wrote:
> 1) Is there some other option that I'm missing above?
The monkeysphere is another option:
http://web.monkeysphere.info/
The monkeysphere wraps your host key in an OpenPGP certificate, which
allows you (and anyone) to certify the key's association with a given
host; it also allows anyone to verify those certifications directly.
For servers that the general public interacts with (e.g. pair's shared
servers) this is could useful even beyond the in-house utility of known
key distribution.
The only human interactions needed would be to supply some credential to
grant access to the certifying key when a machine is newly created (if
you have an automated installation mechanism, this could be included
directly).
The monkeysphere also allows you to take care of revocations using
standard OpenPGP revocation mechanisms, and to distribute those
revocations via the same OpenPGP keyserver network that is already in use.
If you don't want the keys public, you can also distribute them via a
private keyserver (or a private keyserver network), which is pretty
straightforward to install.
hth,
--dkg
PS if it's not clear, i'm a contributor to the monkeysphere project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20130116/5b944f7d/attachment.bin>
More information about the openssh-unix-dev
mailing list