x.509v3 publickeys and signatures

To: <ietf-ssh%netbsd.org@localhost>
Subject: x.509v3 publickeys and signatures
From: "Joseph Galbraith" <galb-list%vandyke.com@localhost>
Date: Fri, 3 Aug 2001 14:40:04 -0600

In the transport draft, Section 4.6, we specify that
public keys are, in general encoded as:

     string   certificate or public key format identifier
     byte[n]  key/certificate data

However, the sections on x.509 are less clear.  And in fact,
SSH Communications current x.509 implementation omits the
string, including only the certificate data -- although
the string is included when sending signatures.

I would suggest we include the following text in section
documenting "x509v3-sign-rsa":

The "x509v3-sign-rsa" key format has the following specific encoding:

     string    "x509v3-sign-rsa"
     byte[n]   x.509v3 compatible der encoded certificate data

The resulting signature is encoded as follows:

     string    "x509v3-sign-rsa"
     string    rsa_signature_blob


Variants to this go in the other x.509 sections as appropriate.

In addition, I would suggest that we note that signatures
made with x509v3-sign-rsa keys MUST use the SHA-1 hash, and
be done using PKCS1.

Joseph Galbraith
galb-list%vandyke.com@localhost

References:
- drafts appear to have been published; please review.
  - From: Bill Sommerfeld

Prev by Date: The "zlib bug"
Next by Date: Re: drafts appear to have been published; please review.
Previous by Thread: The "zlib bug"
Next by Thread: Re: drafts appear to have been published; please review.
Indexes:

Home | Main Index | Thread Index | Old Index