IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: x509
On Thu, 2002-01-31 at 22:11, Markus Friedl wrote:
> > I think it makes sense to keep the ssh-dsa and ssh-rsa encodings for
> > signatures. Certificate standards typically don't define formats for
> > detached signatures. Whether or not a new name is attached to the data
> > isn't terribly important, but I'd prefer *not* introducing new
> > redundant names.
>
> ok, then the transport draft must say:
>
> signatures for hostkeys of type "ssh-rsa-x509v3" are
> encoded as
> string "ssh-rsa"
> string rsa_signature_blob.
Here is a modified modified version of the relevent section of the
draft. I have removed the "old" certificate-based formats, perhaps they
need to be included? The contents of the certificate blobs themselves
need further specification too.
--------------------------------
4.6 Public Key Algorithms
This protocol has been designed to be able to operate with almost any
public key format, encoding, and algorithm (signature and/or
encryption).
There are several aspects that define a public key type:
o Key format: how is the key encoded and how are certificates
represented. The key blobs in this protocol MAY contain
certificates in addition to keys.
o Signature and/or encryption algorithms. Some key types may not
support both signing and encryption. Key usage may also be
restricted by policy statements in e.g. certificates. In this
case, different key types SHOULD be defined for the different
policy alternatives.
o Encoding of signatures and/or encrypted data. This includes but
is not limited to padding, byte order, and data formats.
The following public key and/or certificate formats are currently
defined:
ssh-dss REQUIRED sign no-cert Simple DSS
ssh-rsa RECOMMENDED sign no-cert Simple RSA
ssh-dss-x509v3 RECOMMENDED sign cert X.509 certificates (DSS)
ssh-rsa-x509v3 RECOMMENDED sign cert X.509 certificates (RSA)
ssh-dss-spki OPTIONAL sign cert SPKI certificates (DSS)
ssh-rsa-spki OPTIONAL sign cert SPKI certificates (RSA)
ssh-dss-pgp OPTIONAL sign cert OpenPGP certificates (DSS)
ssh-rsa-pgp OPTIONAL sign cert OpenPGP certificates (RSA)
Additional key types may be defined as specified in [SSH-ARCH].
The key type MUST always be explicitly known (from algorithm
negotiation or some other source). It is not normally included in
the key blob.
Certificates and public keys are encoded as follows:
string certificate or public key format identifier
mpint[n] key data
string certificate data (optional)
The certificate part should not be included for formats which include
signatures only, but a public key is required. This is the public
key that will be used for authentication; the certificate sequence
contained in the certificate blob can be used to provide
authorization.
The "ssh-dss" key format has the following specific encoding:
string "ssh-dss"
mpint p
mpint q
mpint g
mpint y
Here the p, q, g, and y parameters form the signature key blob.
Signing and verifying using this key format is done according to the
Digital Signature Standard [FIPS-186] using the SHA-1 hash. A
description can also be found in [SCHNEIER].
The certificate formats based on ssh-dss extend the public key
format to include certificate data:
string "ssh-dss-x509v3" / "ssh-dss-spki" / "ssh-dss-pgp"
mpint p
mpint q
mpint g
mpint y
string certificate
In the case of "ssh-dss-x509v3", the certificate must be in a X.509v3
compatible DER-encoded format. The formats used in X.509v3 are
described in [RFC2459]. The key (or one of the keys in
the certificate) MUST be a DSA key which matches the p, q, g and y
public key portions present in the first part of the packet.
The "ssh-dss-spki" method indicates that the certificate blob
contains a sequence of SPKI certificates. The format of SPKI
certificates is described in [RFC2693]. The key (or one of the keys
in the certificate) MUST be a DSA key which matches the p, q, g and y
public key portions present in the first part of the packet.
The "ssh-dss-pgp" method indicates the certificate is in an OpenPGP
compatible binary format ([RFC2440]). The key in the certificate
MUST be a DSS key which matches the p, q, g and y public key portions
present in the first part of the packet..
For all DSS algorithms he resulting signature is encoded as follows:
string "ssh-dss"
string dss_signature_blob
dss_signature_blob is encoded as a string containing r followed by s
(which are 160 bits long integers, without lengths or padding,
unsigned and in network byte order).
The "ssh-rsa" key format has the following specific encoding:
string "ssh-rsa"
mpint e
mpint n
Here the e and n parameters form the signature key blob.
Signing and verifying using this key format is done according to
[SCHNEIER] and [PKCS1] using the SHA-1 hash.
The certificate formats based on ssh-rsa extend the public key
format to include certificate data:
string "ssh-rsa-x509v3" / "ssh-rsa-spki" / "ssh-rsa-pgp"
mpint e
mpint n
string certificate
The format of the certificate string for each of these algorithms is
that same as the DSS certificate algorithms specified above. In all
cases the certificate MUST contain an RSA key which matches the
n and e components sent in the first portion of the packet.
The resulting signature is encoded as follows:
string "ssh-rsa"
string rsa_signature_blob
rsa_signature_blob is encoded as a string containing s (which is an
integer, without lengths or padding, unsigned and in network byte
order).
--------------------------------------
-d
--
| By convention there is color, \\ Damien Miller <djm%mindrot.org@localhost>
| By convention sweetness, By convention bitterness, \\ www.mindrot.org
| But in reality there are atoms and space - Democritus (c. 400 BCE)
Home |
Main Index |
Thread Index |
Old Index