[Bug 3204] Enable user-relative revoked keys files

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Aug 29 09:53:21 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3204

--- Comment #1 from Jordan Macdonald <macdjord at gmail.com> ---
Note: Both approaches - this one and the one suggested in
https://bugzilla.mindrot.org/show_bug.cgi?id=2328 - offer distinct
advantages:
* Maintaining separate KRLs for each certificate authority is
best-practice and enables fine-grained control (e.g. revoking the
signature of a particular key by a particular CA but still allowing
that same key to be used if it is also signed by a different authorized
CA)
* However, not everyone follows best practices, and many users will
just want to have one file to append their old/invalid/compromised keys
to without having to specify `crl-file="~/.ssh/revoked_keys"`
separately for every CA in `authorized_keys`

Either option would satisfactorily solve the issue of allowing users to
control their own revocations, but the ideal solution would probably be
to offer both.


Also, if per-user revocation files are supported, it would probably be
a good idea to give `RevokedKeys` a suitable default; I suggest
`.ssh/revoked_keys`. It seems unwise to enable user-specified CAs by
default without offering user-specified revocation.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list