Hacker News new | past | comments | ask | show | jobs | submit login

With normal keys you have a similar issue of removing the key from all servers. If you can do this, you can also deploy a revocation list.



My point is that, at first glance, this appears to be a solution that doesn't require you to do an operation on all N servers when you add a new key. Just warning people that you DO still need to have that infrastructure in place to push updated CRLs, although you'll hopefully need to use it a lot less than if you were manually pushing updated authorized_keys files to everything.


Easier to test if Jenkins can SSH in than to test a former employee cannot. Especially if you don't have the unencrypted private key.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: