I've been reading about setting up an ssh certificate authority and controlling access via key revocation lists. And in the man page, it lists a -z
option for specifying a version number for a key revocation list. It is not very clear from context what purpose this option serves. Can anyone explain what it does?
Also, the mechanism for adding a key to the revocation list is clear, but is there any way to remove a key from the revocation list? If you make a mistake, would the entire key revocation list have to be regenerated? Is that what the version number does? Is there a consensus on best practices when it comes to managing the list and keeping track of what keys have been revoked?
Any insight is greatly appreciated.
0 Answers