Re: OpenSSH Certkey (PKI)

To:	Daniel Hartmeier <daniel@benzedrine.cx>
Subject:	Re: OpenSSH Certkey (PKI)
From:	Stephen Frost <sfrost@snowman.net>
Date:	Thu, 16 Nov 2006 16:50:52 -0500
Cc:	tech@openbsd.org, openssh-unix-dev@mindrot.org, markus@openbsd.org, freebsd-current@freebsd.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	openssh-unix-dev-list1@securepoint.com
Delivered-to:	openssh-unix-dev-tmda@mindrot.org
Delivered-to:	openssh-unix-dev@mindrot.org
In-reply-to:	<20061115142820.GB14649@insomnia.benzedrine.cx>
List-archive:	<http://lists.mindrot.org/pipermail/openssh-unix-dev>
List-help:	<mailto:openssh-unix-dev-request@mindrot.org?subject=help>
List-id:	Development of portable OpenSSH <openssh-unix-dev.mindrot.org>
List-post:	<mailto:openssh-unix-dev@mindrot.org>
List-subscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=subscribe>
List-unsubscribe:	<http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=unsubscribe>
Mail-followup-to:	Daniel Hartmeier <daniel@benzedrine.cx>, tech@openbsd.org, freebsd-current@freebsd.org, openssh-unix-dev@mindrot.org, markus@openbsd.org
References:	<20061115142820.GB14649@insomnia.benzedrine.cx>
Sender:	openssh-unix-dev-bounces+openssh-unix-dev-list1=securepoint.com@mindrot.org
User-agent:	Mutt/1.5.13 (2006-08-11)

Greetings,

Overall I'd like to see OpenSSH support PKI in addition to the existing
methods.  I'm more keen on it being used for host authentication than
for user certificates, personally.  I did want to comment on this
though:

* Daniel Hartmeier (daniel@benzedrine.cx) wrote:
> +Certkey does not involve online verfication, the CA is not contacted by 
> either
> +client or server. Instead, the CA generates certificates which are (once)
> +distributed to hosts and users. Any subsequent logins take place without the
> +involvment of the CA, based solely on the certificates provided between 
> client
> +and server.

Would you consider adding support for OCSP?  I saw alot of
discussion regarding CRLs (and some of their rather well known
downsides) but only once saw mention of OCSP, and that with no response.
While CRLs are useful in some circumstances I believe OCSP is generally
a better approach.  Ideally, both would be supported.  If I had to pick
one I'd rather see OCSP than CRL support though.

        Thanks,

                Stephen

signature.asc
Description: Digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

<Prev in Thread]	Current Thread	[Next in Thread>
Re: OpenSSH Certkey (PKI), (continued) Message not available Re: OpenSSH Certkey (PKI), Brian Keefer Re: OpenSSH Certkey (PKI), Andre Oppermann Message not available Re: OpenSSH Certkey (PKI), Andre Oppermann Message not available Message not available Message not available Re: OpenSSH Certkey (PKI) adding CAL (online verification), Andre Oppermann Message not available Message not available Re: OpenSSH Certkey (PKI) adding CAL (online verification), Daniel Hartmeier Re: OpenSSH Certkey (PKI), Wolfgang S. Rupprecht Message not available Re: OpenSSH Certkey (PKI), Wolfgang S. Rupprecht Re: OpenSSH Certkey (PKI), Andre Oppermann Re: OpenSSH Certkey (PKI), Nick Bender Message not available Re: OpenSSH Certkey (PKI), Andre Oppermann Re: OpenSSH Certkey (PKI), Stephen Frost <= Re: OpenSSH Certkey (PKI), Andre Oppermann

Previous by Date:	Re: OpenSSH Certkey (PKI) adding CAL (online verification), Daniel Hartmeier
Next by Date:	Re: ssh-decrypt, Darren Tucker
Previous by Thread:	Re: OpenSSH Certkey (PKI), Andre Oppermann
Next by Thread:	Re: OpenSSH Certkey (PKI), Andre Oppermann
Indexes:	[Date] [Thread] [Top] [All Lists]