On Tue, Mar 02, 2021 at 03:23:24PM -0800, Michael Thomas wrote: > So I just looked up ssh certificates which I think somebody mentioned. This > is a prime example of throwing needless complexity at a problem. If you just > added the user's public keys to, say, an LDAP repo, you get the scaling they In the 80s the naive assumption was made that we'd have "white pages" -- directories -- where we could do such lookups. I think that's what you have in mind since you refer to an "LDAP repo". That did not work, and cannot work because it has privacy issues, at least when you do lookups _by name_. Now, maybe you have something different in mind. The authenticating party presents a directory name, a public key, and a signature, and the RP looks up the key in the directory to get a name? That might not have privacy issues, but it still requires online infra that someone has to pay for, and that RPs need to contact (so they need to do async I/O, naturally). More things to break. And, of course, LDAP is insanely complex and brings X.500 naming right back into the picture completely unnecessarily (along with ASN.1, naturally). > claim to be solving for, and avoid all of the needless complexity of issuing > certs and installing them on the client. The client ssh doesn't need to do > anything different as bonus. With LDAP you get the added bonus that it can The client is also a relying party though, since it has to authenticate the server. > dish out attributes for things like roles and permissions, which would be a > giant headache if it had to be done with reissued certs every time your role > or permission changed. Certificates are infinitely easier. Now, you mention "the needless complexity of issuing certs and installing them on the [authenticating party]". But that's not so complex. You can run an online CA that issues short-lived client certificates based on a longer-lived credential, and that and "installing" the certificates (and private keys) are purely internal details that users shouldn't need to know. That works for corporate networks, but it should work for a home network too. For a Mesh-like scheme you're really going to need long-lived (forever) device public keys and revoke them only in the sense of removing the public keys from Alice's other devices, and there is a directory in Mesh case, but it's purely local (just Alice's devices, which should be few enough that the whole thing scales fine). > I'm trying to think of major things that use public key authentication. > There's TLS with certs, DKIM using raw public keys, and SSH mainly using raw > public keys. Am I missing anything else that is widely deployed? DNSsec and > BGP are still pretty skimpy from what I can tell. Kerberos, with PKINIT. Mosh? But note that SSH, TLS, and Kerberos (or, rather, GSS-API) covers... a lot of protocols -- practically all Internet protocols. Nico --