Internet-Drafts%ietf.org@localhost writes:
> The X.509 extension specifies how X.509 keys and signatures are used
> within the SSH2 protocol.
*** EKU
RFC3280 claims serverAuth and clientAuth EKU is for
-- TLS WWW server authentication
and
-- TLS WWW client authentication
Sure you want to overload that meaning TLS and SSH server/client
authentication ?
Should my http possibly run with the same certificate as my ssh server? So
if my http server is compromised, it will expose my users to that stolen
certificate when they try to contant that server.
I think you should make up your own object identifiers.
*** PKCS.7
[PKCS.7.1993] is kind of oldish, RFC3852 defines CMS now.
*** Certificates
in "4. Use in SSH2 Protocol" there is certificate data defined:
string DER encoded x.509v3 certificate data
How may certificates is this, one, or a chain ? If the pki is deeper then
grass, one level, (a real tree), it might good to send the whole chain
(excluding the trust anchor)
*** x509v3-sign
"4.3 x509v3-sign" talkes about "DER encoded PKCS7 data", I assume that is
DER encocded SignedData from CMS. I think that should be more explicit.
I read over the document again when get back from the movie.
Love
Attachment:
pgpiixMRdVj77.pgp
Description: PGP signature