Re: Signing KRLs?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds@xxxxxxxxxxxxxxxxxx> wrote:
>
> Hi!
>
> While reading through PROTOCOL.krl I came across "5. KRL signature sections".
>
> If my understanding is correct - and that's basically what I would like to
> get knocked down for if appropriate ;) - this is a way for SSHDs to ensure
> they only accept KRLs signed by a trusted CA.
>
> However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen?
> The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is optional in
> the file structure, so am I right to assume that ssh-keygen simply does not
> implement the signing of KRLs (yet)? Or do I need to use some other tool I have
> overlooked?

I haven't looked at the code, but the man page implies -s signs the krl.

     -s ca_key
             Certify (sign) a public key using the specified CA key.  Please
             see the CERTIFICATES section for details.

             When generating a KRL, -s specifies a path to a CA public key
             file used to revoke certificates directly by key ID or serial
             number.  See the KEY REVOCATION LISTS section for details.

> Thanks a lot in advance.
>
> Cheers,
> Daniel
>
>
> --
> Daniel Schneller
> ds@xxxxxxxxxxxxxxxxxxx
> Twitter: @dschneller
> http://www.danielschneller.com - Java, iOS, Mac, Windows, Linux and other insanities.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux