x.509 signature clarification?

["Joseph Galbraith" <galb-list%vandyke.com@localhost>]

We've been looking at x.509 certificates, as specified in
the draft and as implemented by SSH Communications in their
3.0 release, and have come to the conclusion that the
draft is underspecified.

>From the transport draft 4.6 (pg. 11):

> The "x509v3-sign-rsa" method indicates that the certificates, the public
> key, and the resulting signature are in X.509v3 compatible DER-encoded
> format. The formats used in X.509v3 is described in [RFC-2459]. This
> method indicates that the key (or one of the keys in the certificate) is
> an RSA-key.

Looking at RFC 2459, it appears that it describes the profile
for x.509 certificates, but doesn't really specify anything about 
signature encoding.  I think this reference can be dropped.

For x.509 certificates using rsa keys, SSH Communications 3.0
appears to be using PKCS #1 with MD5.  I'm not sure what they
are doing for DSS signatures.

There appears to be two areas where the draft needs clarification:

1. Which digest algorithm should be used?  (Given that we use
   SHA1 for ssh-rsa keys, this would seem the natural choice.)

2. What should the format of the signature be?

I'm tempted to suggest that the signature is in PKCS #7
format, though this seems to be a bit of an overkill...
it would however, address both the above problems, because
the digest algorithm would be specified as part of the PKCS #7
packet.  We might consider specifying a PKCS #7 signature,
with an "external signature" and no included certificates
or CRL information.

Joseph Galbraith
galb-list%vandyke.com@localhost