On Mon, 4 Feb 2019, Daniel Schneller wrote: > Hi! > > While reading through PROTOCOL.krl I came across "5. KRL signature sections". > > If my understanding is correct - and that's basically what I would like to > get knocked down for if appropriate ;) - this is a way for SSHDs to ensure > they only accept KRLs signed by a trusted CA. > > However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen? > The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is optional in > the file structure, so am I right to assume that ssh-keygen simply does not > implement the signing of KRLs (yet)? Or do I need to use some other tool I have > overlooked? Hi, Support for signatures is in the KRL spec and is implemented in the krl.[ch] library but I've never actually plumbed that support through to ssh-keygen. It's not hard to do; IMO the hardest part is figuring out a good UI for it. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev