Re: OpenSSH key blacklisting

[Sebastian Krahmer <krahmer () suse de>]

Hi,

Last time I looked at the drafts (now RFC) there was no
spec for revoking user-keys. However it allows x509
certificates for hostkeys.
Its all about the RFCs. OpenSSH folks shouldnt implement
proprietary stuff :)
At the end of the day SSH is not really a PKI system. The focus
has been on different issues.

Sebastian

On Wed, May 28, 2008 at 03:03:42PM +0100, Tim Brown wrote:

> All,
>
> Maybe I've missed something, in which case, shoot me down, but why unlike 
> other services that make use of public key cryptography, does OpenSSH not 
> have use a model which supports proper authorisation and revocation 
> mechanisms?  Would this not be an ideal opportunity to implement this?  
> Whilst I think there was a reasonable case for such features prior to the 
> Debian OpenSSL vulnerability being identified, I would argue that this issue 
> highlights the case.  Comercial SSH already has such functionality - can 
> anyone offer a view on how [well] it works?
>
> Tim
> -- 
> Tim Brown
> <mailto:timb () nth-dimension org uk>
> <http://www.nth-dimension.org.uk/>

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)