Re: Certificate authentication

[pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann)]

"Glen Matthews" <glen%montreal.hcl.com@localhost writes:

>sorry for the dumb question (if it is dumb) but I can't see any drafts
>dealing with certificate authentication in ssh. ssh.com seems to support
>this, and I see a patch for openssh by Roumen Petrov - but is there any
>position from the wg on this?

I looked at this a while back and the group consensus is that no two people
can agree on how to handle it :-).  I went through the list archives
collecting all the comments on this, it starts around July'01 with:

  For x.509 certificates using rsa keys, SSH Communications 3.0 appears to be
  using PKCS #1 with MD5.

That doesn't describe the format, merely what's inside the RSA bignum... and
the debate then fizzled out again.  There's another post from August '01:

  I would suggest we include the following text in section documenting
  "x509v3-sign-rsa":

  The "x509v3-sign-rsa" key format has the following specific encoding:

     string    "x509v3-sign-rsa"
     byte[n]   x.509v3 compatible der encoded certificate data

  The resulting signature is encoded as follows:

     string    "x509v3-sign-rsa"
     string    rsa_signature_blob

  Variants to this go in the other x.509 sections as appropriate.

  In addition, I would suggest that we note that signatures made with x509v3-
  sign-rsa keys MUST use the SHA-1 hash, and be done using PKCS1.

but then later he says:

  So, we decided to change x.509v3 certificates to use pkcs7 signatures,
  because otherwise, there is no way to know what hashing algorithm was used.

  There are currently two such algorithms defined:

        x509v3-sign-rsa      RECOMMENDED  sign    X.509 certificates (RSA key)
        x509v3-sign-dss      RECOMMENDED  sign    X.509 certificates (DSS key)

      The "x509v3-*" key format has the following generic encoding:

        string    "x509v3-*"
        string    x.509v3 compatible der encoded certificate data

      The resulting signature is encoded as follows:

        string    "pkcs7"
        string    PKCS-7 signature, DER encoded

      The "x509v3-sign-rsa" method indicates that the key
      (or one of the keys in the certificate) is an RSA-key.

      The "x509v3-sign-dss".  As above, but indicates that the key (or
      one of the keys in the certificate) is a DSS-key.

which never appeard in the RFC.  There's a  followup in Jan'02 asking why it's
not present yet, and several other ones indicating that no two people can
agree on how to do this, including the [editorial comment deleted] suggestion
to use:

   The certificate formats based on ssh-rsa extend the public key
   format to include certificate data:

     string    "ssh-rsa-x509v3" / "ssh-rsa-spki" / "ssh-rsa-pgp"
     mpint     e
     mpint     n
     string    certificate

which practically guarantees that one or more implementations will use the e
and n from outside the cert (particularly ones only pretending to do X.509),
completely voiding the purpose of having the cert in the first place.  Even
ssh.com don't seem to know what to do:

  moreover, implementations supporting x509 (e.g. ssh.com) currently send

        string  "DER-encoded cert"

  without even sending the key type.

   Certificates and public keys are encoded as follows:

     string   certificate or public key format identifier
     byte[n]  key/certificate data

  so, i'm confused by the draft and the implementations.

Markus Friedl then comments that:

  This is obviously wrong,

Bill Sommerfeld finally sums it up with:

  i do not want to hold up the core drafts waiting for folks to figure out how
  to use x.509 with ssh.

and Damien Miller followed up with the observation that:

  The current spec is too vague to implement.

There were further comments more recently which indicated that interest in
doing X.509 with SSH was sufficiently low that no-one cared too much about
this issue anyway.

Peter.