On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds@xxxxxxxxxxxxxxxxxx> wrote: > > Hi! > > While reading through PROTOCOL.krl I came across "5. KRL signature sections". > > If my understanding is correct - and that's basically what I would like to > get knocked down for if appropriate ;) - this is a way for SSHDs to ensure > they only accept KRLs signed by a trusted CA. > > However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen? > The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is optional in > the file structure, so am I right to assume that ssh-keygen simply does not > implement the signing of KRLs (yet)? Or do I need to use some other tool I have > overlooked? I haven't looked at the code, but the man page implies -s signs the krl. -s ca_key Certify (sign) a public key using the specified CA key. Please see the CERTIFICATES section for details. When generating a KRL, -s specifies a path to a CA public key file used to revoke certificates directly by key ID or serial number. See the KEY REVOCATION LISTS section for details. > Thanks a lot in advance. > > Cheers, > Daniel > > > -- > Daniel Schneller > ds@xxxxxxxxxxxxxxxxxxx > Twitter: @dschneller > http://www.danielschneller.com - Java, iOS, Mac, Windows, Linux and other insanities. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev