On Mon, Feb 4, 2019 at 9:25 PM Peter Moody <mindrot@xxxxxxxx> wrote: > On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds@xxxxxxxxxxxxxxxxxx> > wrote: > > > > Hi! > > > > While reading through PROTOCOL.krl I came across "5. KRL signature > sections". > > > > If my understanding is correct - and that's basically what I would like > to > > get knocked down for if appropriate ;) - this is a way for SSHDs to > ensure > > they only accept KRLs signed by a trusted CA. > > > > However, I cannot seem to find a way to actually _sign_ a KRL with > ssh-keygen? > > The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is > optional in > > the file structure, so am I right to assume that ssh-keygen simply does > not > > implement the signing of KRLs (yet)? Or do I need to use some other tool > I have > > overlooked? > > I haven't looked at the code, but the man page implies -s signs the krl. > > -s ca_key > Certify (sign) a public key using the specified CA key. > Please > see the CERTIFICATES section for details. > > When generating a KRL, -s specifies a path to a CA public key > file used to revoke certificates directly by key ID or serial > number. See the KEY REVOCATION LISTS section for details. > > I thought so, too, but it does not really make sense to me. You provide the _public_ key of the CA, so it can’t be for signing. Instead I believe it is to give context to the serial number and/or key IDs you want to revoke. That last part could be me misreading things, but for signing it would need the private CA key, would it not? Daniel On Mon, Feb 4, 2019 at 9:25 PM Peter Moody <mindrot@xxxxxxxx> wrote: > On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds@xxxxxxxxxxxxxxxxxx> > wrote: > > > > Hi! > > > > While reading through PROTOCOL.krl I came across "5. KRL signature > sections". > > > > If my understanding is correct - and that's basically what I would like > to > > get knocked down for if appropriate ;) - this is a way for SSHDs to > ensure > > they only accept KRLs signed by a trusted CA. > > > > However, I cannot seem to find a way to actually _sign_ a KRL with > ssh-keygen? > > The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is > optional in > > the file structure, so am I right to assume that ssh-keygen simply does > not > > implement the signing of KRLs (yet)? Or do I need to use some other tool > I have > > overlooked? > > I haven't looked at the code, but the man page implies -s signs the krl. > > -s ca_key > Certify (sign) a public key using the specified CA key. > Please > see the CERTIFICATES section for details. > > When generating a KRL, -s specifies a path to a CA public key > file used to revoke certificates directly by key ID or serial > number. See the KEY REVOCATION LISTS section for details. > > > Thanks a lot in advance. > > > > Cheers, > > Daniel > > > > > > -- > > Daniel Schneller > > ds@xxxxxxxxxxxxxxxxxxx > > Twitter: @dschneller > > http://www.danielschneller.com - Java, iOS, Mac, Windows, Linux and > other insanities. > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev@xxxxxxxxxxx > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Daniel Schneller ds@xxxxxxxxxxxxxxxxxxx Twitter: @dschneller http://www.danielschneller.com - Java, iOS, Mac, Windows, Linux and other insanities. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev