Re: x509

[Markus Friedl <markus%openbsd.org@localhost>]

On Wed, Jan 30, 2002 at 04:59:51PM -0700, Joseph Galbraith wrote:
> > In the transport draft, Section 4.6, we specify that
> > public keys are, in general encoded as:
> >
> >      string   certificate or public key format identifier
> >      byte[n]  key/certificate data
> >
> > However, the sections on x.509 are less clear.  And in fact,
> > SSH Communications current x.509 implementation omits the
> > string, including only the certificate data -- although
> > the string is included when sending signatures.

I think they use
	byte[n]  der-encoded-x509-cert
instead of
	string	 "x509v3-sign-rsa"
	byte[n]  der-encoded-x509-cert
because with the 2nd encoding the length of the DER blob is not made
explicit, while with the 1st encoding you have length, because the
pubkey is usually wrapped into a
	string	pubkeyorcertblob

An encoding similar to
	string	 "x509v3-sign-rsa"
	int32	 n
	byte[n]  der-encoded-x509-cert
would be more in line with the other encodings.

However, the transport draft also state:

   The key type MUST always be explicitly known (from algorithm
   negotiation or some other source).  It is not normally included in
   the key blob.

This does not match with:

   Certificates and public keys are encoded as follows:

     string   certificate or public key format identifier
     byte[n]  key/certificate data

Or am I missing something?

-m