IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: x509



On Wed, 30 Jan 2002, Joseph Galbraith wrote:

> > i don't see why we cannot use the current "ssh-rsa" encoding:
> > transfer a x509 certificate in addition to "ssh-rsa" encoded
> > signature?
> >
> > since "x509v3-sign-rsa" is not specified in detail, it should be
> > dropped from the draft and replaced by something like
> > "x509v5-ssh-rsa"
> > meaning:
> > public key is transfered in "x509v3" format and
> > the current "ssh-rsa" is used for encoding for signatures.

I like the idea of removing the underspecified Public Key Algorithms and
replacing them with equivalents based on the current ssh-rsa and ssh-dss
methods.

e.g.

string "ssh-rsa-x509v3"
mpint e
mpint n
string der_encoded_certificate

This scales nicely to the other certificate (SPKI, OpenPGP) methods. 

It also allows implementations which don't directly support the 
certificate format to continue authentication with the pubkey only. Though 
this may be dangerous as it would miss additional restrictions implicit in 
the certificate, e.g. validity periods in X.509v3 & OpenPGP or 
restrictions in SPKI.

-d





Home | Main Index | Thread Index | Old Index