Re: x509

To: Joseph Galbraith <galb-list%vandyke.com@localhost>
Subject: Re: x509
From: Damien Miller <djm%mindrot.org@localhost>
Date: Thu, 31 Jan 2002 11:29:58 +1100 (EST)

On Wed, 30 Jan 2002, Joseph Galbraith wrote:

> > i don't see why we cannot use the current "ssh-rsa" encoding:
> > transfer a x509 certificate in addition to "ssh-rsa" encoded
> > signature?
> >
> > since "x509v3-sign-rsa" is not specified in detail, it should be
> > dropped from the draft and replaced by something like
> > "x509v5-ssh-rsa"
> > meaning:
> > public key is transfered in "x509v3" format and
> > the current "ssh-rsa" is used for encoding for signatures.

I like the idea of removing the underspecified Public Key Algorithms and
replacing them with equivalents based on the current ssh-rsa and ssh-dss
methods.

e.g.

string "ssh-rsa-x509v3"
mpint e
mpint n
string der_encoded_certificate

This scales nicely to the other certificate (SPKI, OpenPGP) methods. 

It also allows implementations which don't directly support the 
certificate format to continue authentication with the pubkey only. Though 
this may be dangerous as it would miss additional restrictions implicit in 
the certificate, e.g. validity periods in X.509v3 & OpenPGP or 
restrictions in SPKI.

-d

Follow-Ups:
- Re: x509
  - From: Joseph Galbraith
- Re: x509
  - From: Niels Möller

References:
- Re: x509
  - From: Joseph Galbraith

Prev by Date: Re: x509
Next by Date: Re: x509
Previous by Thread: Re: x509
Next by Thread: Re: x509
Indexes:

Home | Main Index | Thread Index | Old Index