Re: x509

[nisse%lysator.liu.se@localhost (Niels Möller)]

[ Ok, I'll better send my reply to the list as well. The message I'm
  replying to first arrived only in my private mailbox. /Niels ]

Damien Miller <djm%mindrot.org@localhost> writes:

> On Thu, 2002-01-31 at 23:01, Niels Möller wrote:
> 
> > But on second thought, this beautiful separation of SSH things from
> > x.509 things doesn't quite work. Somebody *has* to check that the e
> > and n above equals the key that is somewhere inside the ASN.1
> > certificate chain, otherwise, the certificate checking has a hole you
> > can drive a 20 ton truck right through.
> 
> I think that is putting it a little strong - you still have to present a
> valid signature.

But that's trivial, in the scenario I'm thinking about. If I copy the
certificate chain that proves that your key is authorized, and then I
stuff in my own n and e values, together with a matching signature on
the session id, then (i) the x.509 certificate chain is perfectly ok,
and (ii) my signature matches the n and e, so I could get access. The
result is that the certification-check is completely by-passed.

> It seems unlikely that implementors would go to all the trouble of
> implementing certificate chain checking, etc only to miss something so
> basic.

I look at from the opposite direction. The trouble of implementing
certificate checking *must* include digging out the *certified* public
key from the certificate structures. Adding another *uncertified* copy
of the (hopefully same) key in the protocol is totally useless, and
only invites mistakes. The value of it is null and void, so just kill
it.

/Niels