On Wed, Mar 20, 2024 at 7:03 AM Michael Kjörling <2695bd53d...@ewoof.net> wrote: > > On 20 Mar 2024 15:46 +0800, from jeremy.ard...@gmail.com (jeremy ardley): > > Regarding certificates, I issue VPN certificates to be installed on each > > remote device. I don't use public key. > > What exactly is this "certificate" that you speak of? In typical > usage, it means a public key plus some surrounding metadata, but you > say that you "don't use public key". > > > > For ssh use I issue secret keys to each user and maintain matching public > > keys in LDAP servers. SSHD servers can get the public keys in real time by > > using the AuthorizedKeysCommand. If a secret key is compromised I simply > > remove the matching public key. > > > > [users are locked out from uploading their public key using ssh-copy-id] > > So the private keys aren't private, thereby invalidating a lot of > assumptions inherent in public key cryptography. > > Also, are you saying that you do not let users rotate their keys > themselves; and if so, why on Earth not?
Key continuity has turned out to be a better security property than key rotation. It is wise to avoid gratuitous rotation schemes. Jeff
