Re: Signing KRLs?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 4 Feb 2019, Daniel Schneller wrote:

> Hi!
> 
> While reading through PROTOCOL.krl I came across "5. KRL signature sections".
> 
> If my understanding is correct - and that's basically what I would like to
> get knocked down for if appropriate ;) - this is a way for SSHDs to ensure
> they only accept KRLs signed by a trusted CA.
> 
> However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen?
> The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is optional in
> the file structure, so am I right to assume that ssh-keygen simply does not 
> implement the signing of KRLs (yet)? Or do I need to use some other tool I have
> overlooked?

Hi,

Support for signatures is in the KRL spec and is implemented in the
krl.[ch] library but I've never actually plumbed that support through
to ssh-keygen.

It's not hard to do; IMO the hardest part is figuring out a good UI
for it.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux