Re: [Keyrings] Re: [PATCH 01/04] Add multi-precision-integer maths library

From: Kyle Moffett
Date: Sun Jan 29 2006 - 17:55:07 EST


On Jan 29, 2006, at 17:05, Trond Myklebust wrote:
On Sun, 2006-01-29 at 23:02 +0100, David Härdeman wrote:
On Sun, Jan 29, 2006 at 04:28:20PM -0500, Trond Myklebust wrote:
On Sun, 2006-01-29 at 22:13 +0100, David Härdeman wrote:
How do you use a "time-limited proxy in the daemon" for your own keys/cerificates (e.g. ssh keys)?

I don't have to. Why are you apparently insisting on this weird fallacy that a keyring can only hold one certificate at a time?

I'm talking about ssh keys, not kerberos tickets.

As I said previously, the lack of support for proxies would appear to be a bug in ssh, not the kernel.

You keep mentioning proxy certificates. So you are saying that when I pass the key to some daemon to which I do not want it to have permanent access, I should create a proxy certificate to pass instead? This _vastly_ increases the amount of math that needs to be done. Instead of just using my private key to encrypt data, I would need to generate a new private key with the required encryption strength, generate a proxy certificate, sign the proxy certificate with the old private key, keep track of revocation lists somehow (how do I reliably expire a proxy certificate on-demand everywhere it might be without a web-server hosting the CRLs?), _then_ I can finally encrypt my data with the proxy certificate. I think this qualifies as a serious performance problem, especially if I'm opening and closing lots of SSH tunnels, like running remote commands on every system in a cluster.

If we use this proposed in-kernel system, then I can give my certificate/pubkey to the kernel code, and then my web browser, SSH, and anything else can automatically use it to decrypt and sign data without being able to directly access (and thus compromise) the key. If I later notice what I think might be a rogue process, I can instantly and globally revoke all access to that keypair.

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/E/U d- s++: a18 C++++>$ ULBX*++++(+++)>$ P++++(+++)>$ L++++ (+++)>$ !E- W+++(++) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+ PGP + t+(+++) 5 X R? !tv-(--) b++++(++) DI+(++) D+++ G e>++++$ h*(+)>++$ r %(--) !y?-(--)
------END GEEK CODE BLOCK------



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/