Signing KRLs?

Tue Feb 5 11:50:38 AEDT 2019

On Mon, 4 Feb 2019, Daniel Schneller wrote:

> Hi!
> 
> While reading through PROTOCOL.krl I came across "5. KRL signature sections".
> 
> If my understanding is correct - and that's basically what I would like to
> get knocked down for if appropriate ;) - this is a way for SSHDs to ensure
> they only accept KRLs signed by a trusted CA.
> 
> However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen?
> The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is optional in
> the file structure, so am I right to assume that ssh-keygen simply does not 
> implement the signing of KRLs (yet)? Or do I need to use some other tool I have
> overlooked?

Hi,

Support for signatures is in the KRL spec and is implemented in the
krl.[ch] library but I've never actually plumbed that support through
to ssh-keygen.

It's not hard to do; IMO the hardest part is figuring out a good UI
for it.

-d