Signing KRLs?

Peter Moody mindrot at hda3.com
Tue Feb 5 07:25:29 AEDT 2019


On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds at danielschneller.de> wrote:
>
> Hi!
>
> While reading through PROTOCOL.krl I came across "5. KRL signature sections".
>
> If my understanding is correct - and that's basically what I would like to
> get knocked down for if appropriate ;) - this is a way for SSHDs to ensure
> they only accept KRLs signed by a trusted CA.
>
> However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen?
> The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is optional in
> the file structure, so am I right to assume that ssh-keygen simply does not
> implement the signing of KRLs (yet)? Or do I need to use some other tool I have
> overlooked?

I haven't looked at the code, but the man page implies -s signs the krl.

     -s ca_key
             Certify (sign) a public key using the specified CA key.  Please
             see the CERTIFICATES section for details.

             When generating a KRL, -s specifies a path to a CA public key
             file used to revoke certificates directly by key ID or serial
             number.  See the KEY REVOCATION LISTS section for details.

> Thanks a lot in advance.
>
> Cheers,
> Daniel
>
>
> --
> Daniel Schneller
> ds at danielschneller.com
> Twitter: @dschneller
> http://www.danielschneller.com - Java, iOS, Mac, Windows, Linux and other insanities.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list