Re: Signing KRLs?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Feb 4, 2019 at 9:25 PM Peter Moody <mindrot@xxxxxxxx> wrote:

> On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds@xxxxxxxxxxxxxxxxxx>
> wrote:
> >
> > Hi!
> >
> > While reading through PROTOCOL.krl I came across "5. KRL signature
> sections".
> >
> > If my understanding is correct - and that's basically what I would like
> to
> > get knocked down for if appropriate ;) - this is a way for SSHDs to
> ensure
> > they only accept KRLs signed by a trusted CA.
> >
> > However, I cannot seem to find a way to actually _sign_ a KRL with
> ssh-keygen?
> > The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is
> optional in
> > the file structure, so am I right to assume that ssh-keygen simply does
> not
> > implement the signing of KRLs (yet)? Or do I need to use some other tool
> I have
> > overlooked?
>
> I haven't looked at the code, but the man page implies -s signs the krl.
>
>      -s ca_key
>              Certify (sign) a public key using the specified CA key.
> Please
>              see the CERTIFICATES section for details.
>
>              When generating a KRL, -s specifies a path to a CA public key
>              file used to revoke certificates directly by key ID or serial
>              number.  See the KEY REVOCATION LISTS section for details.
>
>
I thought so, too, but it does not really make sense to me. You provide
the _public_ key of the CA, so it can’t be for signing. Instead I believe
it is to give context to the serial number and/or key IDs you want to
revoke.

That last part could be me misreading things, but for signing it would
need the private CA key, would it not?

Daniel

On Mon, Feb 4, 2019 at 9:25 PM Peter Moody <mindrot@xxxxxxxx> wrote:

> On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds@xxxxxxxxxxxxxxxxxx>
> wrote:
> >
> > Hi!
> >
> > While reading through PROTOCOL.krl I came across "5. KRL signature
> sections".
> >
> > If my understanding is correct - and that's basically what I would like
> to
> > get knocked down for if appropriate ;) - this is a way for SSHDs to
> ensure
> > they only accept KRLs signed by a trusted CA.
> >
> > However, I cannot seem to find a way to actually _sign_ a KRL with
> ssh-keygen?
> > The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is
> optional in
> > the file structure, so am I right to assume that ssh-keygen simply does
> not
> > implement the signing of KRLs (yet)? Or do I need to use some other tool
> I have
> > overlooked?
>
> I haven't looked at the code, but the man page implies -s signs the krl.
>
>      -s ca_key
>              Certify (sign) a public key using the specified CA key.
> Please
>              see the CERTIFICATES section for details.
>
>              When generating a KRL, -s specifies a path to a CA public key
>              file used to revoke certificates directly by key ID or serial
>              number.  See the KEY REVOCATION LISTS section for details.
>
> > Thanks a lot in advance.
> >
> > Cheers,
> > Daniel
> >
> >
> > --
> > Daniel Schneller
> > ds@xxxxxxxxxxxxxxxxxxx
> > Twitter: @dschneller
> > http://www.danielschneller.com - Java, iOS, Mac, Windows, Linux and
> other insanities.
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@xxxxxxxxxxx
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


-- 
Daniel Schneller
ds@xxxxxxxxxxxxxxxxxxx
Twitter: @dschneller
http://www.danielschneller.com - Java, iOS, Mac, Windows, Linux and other
insanities.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux