https://bugzilla.mindrot.org/show_bug.cgi?id=3204
Damien Miller <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #2 from Damien Miller <[email protected]> --- So the problem here is that RevokedKeys is a critical option, i.e. if it is specified then the file must exist and parse successfully. Enabling per-user revoked keys by reusing the same option but adding ~/, implicit home directories and/or %tokens wouldn't let us retain this property as not every path expansion will have a krl present. > Maintaining separate KRLs for each certificate authority is best- > practice and enables fine-grained control (e.g. revoking the signature > of a particular key by a particular CA but still allowing that same key > to be used if it is also signed by a different authorized CA) All this is achievable in authorized_keys. To revoke a specific signature, @revoked the full certificate. To revoke a CA, @revoked the CA key. To revoke a key, regardless of CA, @revoked its public key. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
