Re: x509

To: Joseph Galbraith <galb-list%vandyke.com@localhost>
Subject: Re: x509
From: "Andersson, Mats" <mats.andersson%appgate.com@localhost>
Date: Fri, 1 Feb 2002 08:22:34 +0100 (CET)

On Thu, 31 Jan 2002, Joseph Galbraith wrote:
> > On the subject of whether to use PKCS7 or not I'm not sure what it would
> 
> The only question is, are there some cases where we might not be able
> to control it (or where it would be burdensome to execute that
> control.)
> 
> If there are, PKCS 7 is a win because even in the face of a hash
> algorithm that we can't change to match SHA-1 as specified by the SSH
> protocol (for example) we can still work.

Hi,

Since the PKCS7 packet carries more info it's more "complete", however
rfc2459 defines one and only one algorithm-id for DSA keys and PKCS1
defines the format of the signature to contain the algorithm-id (OID)
already (if I remember it correctly, it's been a while since I
read/implemented it). PKCS7 is seems a bit overkill in this case (or I
remember things incorrectly, sorry).

Have you (vandyke) implemented x509 host/publickey auth in your
client/servers yet?  I haven't tried your stuff out in a while, is it
available for evaluation on the web (server too?).

Cheers,

/Mats

Prev by Date: Re: x509
Next by Date: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
Previous by Thread: Re: x509
Next by Thread: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
Indexes:

Home | Main Index | Thread Index | Old Index