x509

To: ietf-ssh%netbsd.org@localhost
Subject: x509
From: Markus Friedl <markus%openbsd.org@localhost>
Date: Wed, 30 Jan 2002 22:39:14 +0100

I'm trying to figure out how x509 support should actually work.

I think about sending certs encoded as "x509v3-sign-rsa" and the actual
signature as "ssh-rsa", since there is no spec for what a matching
x509-signature should look like.

How should certificates be encoded in "x509v3-sign-rsa"?

The spec seems a little bit ambigous to me:

   Certificates and public keys are encoded as follows:

     string   certificate or public key format identifier
     byte[n]  key/certificate data

   The certificate part may have be a zero length string, but a public
   key is required.  This is the public key that will be used for
   authentication; the certificate sequence contained in the certificate
   blob can be used to provide authorization.

Does this mean that "x509v3-sign-rsa"
is encoded as

	string "x509v3-sign-rsa"
	byte[n] DER-encoded x509 cert

	string "x509v3-sign-rsa"
	int32	n
	byte[n] DER-encoded x509 cert

What does "but a public key is required" mean?  Zero length strings
for certificates?  Are they always required?

How is the encoding for userauth?

     byte      SSH_MSG_USERAUTH_REQUEST
     string    user name
     string    service
     string    "publickey"
     boolean   FALSE
     string    public key algorithm name
     string    public key blob

For RSA keys the 'public key algorithm name' is "ssh-rsa"
and the 'public key blob' is
     string    "ssh-rsa"
     mpint     e
     mpint     n

What is used for x509 certs?

-m

Follow-Ups:
- Re: x509
  - From: Joseph Galbraith

Prev by Date: Re: scp2 vs sftp ?
Next by Date: Re: x509
Previous by Thread: scp2 vs sftp ?
Next by Thread: Re: x509
Indexes:

Home | Main Index | Thread Index | Old Index