Re: Suggestion: Deprecate SSH certificates and move to X.509 certificates

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Yegor Ievlev wrote:
> Can you tell what problem with SSH certificate revocation does
> software you wrote for Uber solve?

Most implementations simply issue short-term certs for freshly generated
key pairs only valid for a few hours. With automatic loading of cert/key
into ssh-agent you also prevent insecure storage of the private keys.

Detecting a security issue and reliably rolling out revocation lists on
tens thousands of machines likely takes longer than this validity period.

There are already several implementations you can find on github and
elsewhere. I've also implemented such a service for a customer recently.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux