Yegor Ievlev wrote: > Can you tell what problem with SSH certificate revocation does > software you wrote for Uber solve? Most implementations simply issue short-term certs for freshly generated key pairs only valid for a few hours. With automatic loading of cert/key into ssh-agent you also prevent insecure storage of the private keys. Detecting a security issue and reliably rolling out revocation lists on tens thousands of machines likely takes longer than this validity period. There are already several implementations you can find on github and elsewhere. I've also implemented such a service for a customer recently. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev