Signing KRLs?
Daniel Schneller
ds at danielschneller.de
Tue Feb 5 07:31:55 AEDT 2019
On Mon, Feb 4, 2019 at 9:25 PM Peter Moody <mindrot at hda3.com> wrote:
> On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds at danielschneller.de>
> wrote:
> >
> > Hi!
> >
> > While reading through PROTOCOL.krl I came across "5. KRL signature
> sections".
> >
> > If my understanding is correct - and that's basically what I would like
> to
> > get knocked down for if appropriate ;) - this is a way for SSHDs to
> ensure
> > they only accept KRLs signed by a trusted CA.
> >
> > However, I cannot seem to find a way to actually _sign_ a KRL with
> ssh-keygen?
> > The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is
> optional in
> > the file structure, so am I right to assume that ssh-keygen simply does
> not
> > implement the signing of KRLs (yet)? Or do I need to use some other tool
> I have
> > overlooked?
>
> I haven't looked at the code, but the man page implies -s signs the krl.
>
> -s ca_key
> Certify (sign) a public key using the specified CA key.
> Please
> see the CERTIFICATES section for details.
>
> When generating a KRL, -s specifies a path to a CA public key
> file used to revoke certificates directly by key ID or serial
> number. See the KEY REVOCATION LISTS section for details.
>
>
I thought so, too, but it does not really make sense to me. You provide
the _public_ key of the CA, so it can’t be for signing. Instead I believe
it is to give context to the serial number and/or key IDs you want to
revoke.
That last part could be me misreading things, but for signing it would
need the private CA key, would it not?
Daniel
On Mon, Feb 4, 2019 at 9:25 PM Peter Moody <mindrot at hda3.com> wrote:
> On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds at danielschneller.de>
> wrote:
> >
> > Hi!
> >
> > While reading through PROTOCOL.krl I came across "5. KRL signature
> sections".
> >
> > If my understanding is correct - and that's basically what I would like
> to
> > get knocked down for if appropriate ;) - this is a way for SSHDs to
> ensure
> > they only accept KRLs signed by a trusted CA.
> >
> > However, I cannot seem to find a way to actually _sign_ a KRL with
> ssh-keygen?
> > The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is
> optional in
> > the file structure, so am I right to assume that ssh-keygen simply does
> not
> > implement the signing of KRLs (yet)? Or do I need to use some other tool
> I have
> > overlooked?
>
> I haven't looked at the code, but the man page implies -s signs the krl.
>
> -s ca_key
> Certify (sign) a public key using the specified CA key.
> Please
> see the CERTIFICATES section for details.
>
> When generating a KRL, -s specifies a path to a CA public key
> file used to revoke certificates directly by key ID or serial
> number. See the KEY REVOCATION LISTS section for details.
>
> > Thanks a lot in advance.
> >
> > Cheers,
> > Daniel
> >
> >
> > --
> > Daniel Schneller
> > ds at danielschneller.com
> > Twitter: @dschneller
> > http://www.danielschneller.com - Java, iOS, Mac, Windows, Linux and
> other insanities.
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
Daniel Schneller
ds at danielschneller.com
Twitter: @dschneller
http://www.danielschneller.com - Java, iOS, Mac, Windows, Linux and other
insanities.
More information about the openssh-unix-dev
mailing list