by mail.netbsd.org with SMTP; 18 Oct 2000 16:19:51 -0000
	by mail1.panix.com (Postfix) with ESMTP id 45E6D48E50
	for <tech-security@netbsd.org>; Wed, 18 Oct 2000 12:19:50 -0400 (EDT)
Date: Wed, 18 Oct 2000 12:19:50 -0400
From: Thor Lancelot Simon <tls@rek.tjls.com>
To: tech-security@netbsd.org
Subject: Re: setuid ssh
Message-ID: <20001018121950.A18856@rek.tjls.com>
Reply-To: tls@rek.tjls.com
References: <atatat@atatdot.net> <20001018142031.6072B2A2A@orchard.arlington.ma.us> <20001018102640.A293@noc.untraceable.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20001018102640.A293@noc.untraceable.net>; from atatat@atatdot.net on Wed, Oct 18, 2000 at 10:26:40AM -0400

On Wed, Oct 18, 2000 at 10:26:40AM -0400, Andrew Brown wrote:
> >> a mini-certificate?  it could just be a time_t, yes?  appended to the
> >> key before hashing for signing, and then kept with it.  or am i again
> >> simply restating what you said?
> >
> >Yes.
> >
> >In general terms, a certificate is a signed statement by a certifying
> >authority saying that some set of attributes are attached to a key.
> >
> >In this case, the certifying authority is the entity in control of the
> >long-term key, and the "attributes" include the expiration time (and
> >probably also the user identity);
> >
> >X.509 defines one kind of certificate; SPKI defines another; dnssec
> >signatures are another kind; pgp has its own certificate structure...
> 
> and this would be yet another, albeit smaller, with only one value,
> name implied.

You're all describing *exactly* why I've believed for a long time that the
ssh agent is a crock, and that if you want this functionality from ssh you
should just use it with krb5 authentication and be done with it.