On Wed, Mar 20, 2024 at 11:03:16AM +0000, Michael Kjörling wrote: > On 20 Mar 2024 15:46 +0800, from jeremy.ard...@gmail.com (jeremy ardley): > > Regarding certificates, I issue VPN certificates to be installed on each > > remote device. I don't use public key. > > What exactly is this "certificate" that you speak of? In typical > usage, it means a public key plus some surrounding metadata, but you > say that you "don't use public key".
My take. I'm always a bit oversuspicious when umbrella words are thrown around. A certificate is (usually) a signed public key. You need it whenever you need more complex key management (definitely not when things are between your server and you). > > For ssh use I issue secret keys to each user and maintain matching public > > keys in LDAP servers [...] > So the private keys aren't private, thereby invalidating a lot of > assumptions inherent in public key cryptography. We are using that schema in our (small) company, too. Private keys are definitely private here (we don't "issue keys" to anyone, everyone uploads their *public* keys to the LDAP). > Also, are you saying that you do not let users rotate their keys > themselves; and if so, why on Earth not? Definitely. "Issuing keys" to people is a "crypto smell". I know, it is being done far too often. People are too stupid to make their key pairs, it is often said. But keeping people stupid is your biggest security hole! Cheers -- t
signature.asc
Description: PGP signature
