Re: Nits in current drafts

[pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann)]

Ben Harris <bjh21%bjh21.me.uk@localhost> writes:
>In article <E1D3s7u-00034y-00%medusa01.cs.auckland.ac.nz@localhost> you write:
>>Ben Harris <bjh21%bjh21.me.uk@localhost> writes:
>>>Does your proposed amendment allow an ssh-rsa signature to use any scheme
>>>other than RSASSA-PKCS1-v1_5/SHA-1?
>>
>>Mu :-).  Currently the only scheme defined for ssh-rsa is RSASSA-PKCS1-
>>v1_5/SHA-1, so it's "Whatever the spec says for ssh-rsa".  If ssh-rsa is at
>>some point extended to allow (say) .../SHA-256 as well then it'd be
>>automatically accomodated.
>
>That's a "no" for my purposes.

Well obviously it's a no because there's no other format defined, so anything
that uses ssh-rsa with other than RSASSA-PKCS1-v1_5/SHA-1 is in violation of
the spec.  Your question was the equivalent of "Have you stopped beating your
wife yet", which was why I answered "Mu", and then qualified it by saying that
if ssh-rsa was extended to allow anything else then using that would be OK.

>Imagine I've got an RSA-based authentication system, with its own certificate
>format, so I define a wibble-rsa%bjh21.me.uk@localhost public-key format. It happens
>that my authentication system uses its keys with RSASSA-PSS internally.
>
>1: Am I required to use the "ssh-rsa" signature format?

No, you can use whatever you want, although unless you use ssh-rsa you're not
going to be able to talk to anything else (obviously, that's what's implied
by the xyz%foo.com@localhost format).

>2: Am I required to use RSASSA-PKCS1-v1_5/SHA-1?

Since RSASSA-PKCS1-v1_5/SHA-1 is the only format defined for ssh-rsa, I guess
the answer is yes (see my comment above).  I guess you can use anything you
want in practice and still call it ssh-rsa, but your implementation won't
interoperate with anything else.  OTOH if you wanted to use (say) RSA-PSS, you
could do by specifying rsa-pss%foo.com@localhost for the sig format.

>Why is it obviously the case that all future RSA signature formats (which I
>assume to be represented by "wibble-sign-rsa") are going to be underspecified
>or ambiguous?

It isn't obvious, but to date (through all 23 revisions of the spec) they've
been underspecified and ambiguous.  I have no idea what future formats will
be, however since no-one's managed to sort it out in 8(?) years of work and
polls on the list have indicated that no-one's really interested in sorting it
out (see e.g. the discussion over what the X.509 sig format is from a while
back), I don't hold out much hope.  Since everything except ssh-rsa has had to
be removed over time because no-one's sure of the format for signatures,
requiring that people use the existing universally-implemented ssh-rsa
signatures with all of the removed formats would solve this problem.

Peter.