Matthew McPherrin
Matthew McPherrin
Right now, a root appears as something like this: ``` Serial: 927650371 Valid: 1999-05-25 16:09 UTC to 2019-05-25 16:39 UTC Signature: SHA1-RSA (self-signed) Subject Info: Country: US Organization: Entrust.net Organizational...
Many java trust stores are "protected" with the default password changeit. Password protection often provides little value when the files are protected, perhaps in a secrets management system. Other passwords...
We assume they're .pem today
I believe we consider this improper behaviour: https://github.com/letsencrypt/pebble/blob/main/test/chisel2.py#L67-L71
- [ ] ROCA rsa keys - [ ] debian weak keys - [ ] too small keys (eg, 1024 bit rsa) - [ ] algorithm policy (eg, require ed25519)
We use "ON DUPLICATE UPDATE" in the database tracking host key, and return the row ID. But that doesn't work if a host changes hostkey
We should have integration tests that grab various OpenSSH versions and run them in a docker container with Sharkey, to ensure we're compatible and our certs actually work
We should support - a known_hosts of registered hosts (what we have right now) - a known_hosts with the CAs used for all currently issued certs (today, we only support...
I wrote a design doc, which should be published in this repo (minus any proprietary stuff).
It seems like it should be fairly straightforward to use a PKCS11 HSM to hold the CA. We can use https://github.com/letsencrypt/pkcs11key to get a crypto.Signer and then x/crypto/ssh's NewSignerFromSigner