[larelli]

I think I understand how signing keys removes the need to update every server when adding a user to the system, but it seems like that comes at the price of having to update them all when someone leaves to revoke their certificates. What is the benefit of pulling revoked certificates to all servers periodically vs pulling authorized_keys files? Is it possible to work around this at all, e.g. conceive a system that eliminates all needs to push to servers? Is an online lookup like LDAP the way to go there?

[brianpan]

If you use certs, then you also get Certificate revocation lists. You don't just trust the CA, you also trust the CA's CRL.

https://en.wikipedia.org/wiki/Certificate_revocation_list

[mpaepper]

The certificates have an expiration date, so if something goes wrong on that end at least it will expire after some time. Also, this takes care of role-based access - this you might not have with an authorized_keys file solution?

[cicloid]

Certificates should have an expiration date, any system implemented with this pattern should expire after a couple of hours.

If manual, I would even consider doing it every week with the caveat that it would be a large attack vector.