Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://akko.erincandescent.net/objects/66c2e38e-7656-486d-ab2d-dcb9cb546c16">Erin 💽✨ (erincandescent@akko.erincandescent.net)'s status on Sunday, 01-Sep-2024 22:40:27 JST</a><a href="https://akko.erincandescent.net/users/erincandescent" title="erincandescent@akko.erincandescent.net"><img src="https://gnusocial.jp/avatar/242079-48-20240514235327.webp" width="48" height="48" alt="Erin 💽✨" style="position: absolute; left: 0; top: 0;">Erin 💽✨</a><div><a href="https://gnusocial.jp/notice/7058778" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/12401" title="q@glauca.space">Q ✨</a></li><li><a href="https://gnusocial.jp/user/79514" title="dequbed@mastodon.chaosfield.at">nadja</a></li><li><a href="https://gnusocial.jp/user/250095" title="theresnotime@fox.nexus">Sammy Fox  :nonbinaryFlag:</a></li></ul></div></section><article><p><a href="https://mastodon.chaosfield.at/@dequbed">@dequbed</a> <a href="https://cathode.church/@Gaelan">@Gaelan</a> <a href="https://fox.nexus/@theresnotime">@theresnotime</a> <a href="https://glauca.space/@q">@q</a> <a href="https://social.shadowkat.net/users/izaya">@izaya</a> Sure, but SSH CAs sidestep that by… making it too simple. Because the longest possible path is Key -&gt; CA</p><p>So my Root CA has to be online regularly to resign my actual keys, while if this were X.509 the root CA would be kept offline and I’d use the intermediate to regularly resign my end-user certificates.</p><p>(I know SSH has KRLs. They have even less deployment than X.509 CRLs, which suck)</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3598951#notice-7058779">In conversation</a><time datetime="2024-09-01T22:40:27+09:00" title="Sunday, 01-Sep-2024 22:40:27 JST">about 3 months ago</time> <span>from <span><a href="https://akko.erincandescent.net/objects/66c2e38e-7656-486d-ab2d-dcb9cb546c16" rel="external" title="Sent from akko.erincandescent.net via ActivityPub">akko.erincandescent.net</a></span></span><a href="https://akko.erincandescent.net/objects/66c2e38e-7656-486d-ab2d-dcb9cb546c16">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Erin 💽✨ (erincandescent@akko.erincandescent.net)'s status on Sunday, 01-Sep-2024 22:40:27 JSTErin 💽✨
in reply to
@dequbed @Gaelan @theresnotime @q @izaya Sure, but SSH CAs sidestep that by… making it too simple. Because the longest possible path is Key -> CA
So my Root CA has to be online regularly to resign my actual keys, while if this were X.509 the root CA would be kept offline and I’d use the intermediate to regularly resign my end-user certificates.
(I know SSH has KRLs. They have even less deployment than X.509 CRLs, which suck)
In conversationabout 3 months ago from akko.erincandescent.netpermalink

Public

Embed Notice

HTML Code

Corresponding Notice