https://bugzilla.mindrot.org/show_bug.cgi?id=3659
Damien Miller <djm@mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
CC| |djm@mindrot.org
--- Comment #1 from Damien Miller <djm@mindrot.org> ---
This is working correctly.
You revoked two keys. A plain public key that is revoked by its hash:
hash: SHA256:SHA256:3IJIl... # ssh-ed25519
and a certificate. The certificate is revoked by its CA key and serial
number, that is the last two lines of your output:
# CA key ssh-ed25519 SHA256:f4o3Bp...
serial: 3007
So both keys are definitely represented in the KRL dump.
Generally, the KRL code tries to write as small a file as possible. For
Certificates this means that it uses the smallest unique identifier
which is the serial number (for each given CA.
If you don't like this then you can use a KRL spec file to control how
the KRL revokes the keys. Something like:
(printf "sha256: "; cat user1_id25519.pub; \
printf "\nsha256: "; cat user2_id25519-cert.pub; printf "\n") >
krl.spec
ssh-keygen -kuf my.krl krl.spec
See the "KEY REVOCATION LISTS" section of the ssh-keygen(1) manpage for
more information on KRL spec files.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Damien Miller <djm@mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
CC| |djm@mindrot.org
--- Comment #1 from Damien Miller <djm@mindrot.org> ---
This is working correctly.
You revoked two keys. A plain public key that is revoked by its hash:
hash: SHA256:SHA256:3IJIl... # ssh-ed25519
and a certificate. The certificate is revoked by its CA key and serial
number, that is the last two lines of your output:
# CA key ssh-ed25519 SHA256:f4o3Bp...
serial: 3007
So both keys are definitely represented in the KRL dump.
Generally, the KRL code tries to write as small a file as possible. For
Certificates this means that it uses the smallest unique identifier
which is the serial number (for each given CA.
If you don't like this then you can use a KRL spec file to control how
the KRL revokes the keys. Something like:
(printf "sha256: "; cat user1_id25519.pub; \
printf "\nsha256: "; cat user2_id25519-cert.pub; printf "\n") >
krl.spec
ssh-keygen -kuf my.krl krl.spec
See the "KEY REVOCATION LISTS" section of the ssh-keygen(1) manpage for
more information on KRL spec files.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs