IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: DISCUSS comments on publickeyfile-09
Comments from others?
> The key type MUST always be explicitly known (from algorithm
> negotiation or some other source). It is not normally included in
> the key blob.
>
> Certificates and public keys are encoded as follows:
> string certificate or public key format identifier
> byte[n] key/certificate data
>
The first paragraph definitely seems in conflict with
the second, since the second clearly states that
a public key or certificate has a type identifier...
add to that the fact that all the currently
defined public-key types also include the
identifier...
I think we should strike the first paragraph.
Thoughts?
Thanks,
Joseph
Russ Housley wrote:
> It is not too late to fix the [I-D.ietf-secsh-transport] document if the
> WG consensus is that the paragraph is incorrect. It is up to the WG
> chair to work with Sam and I to get this changed while it is still in
> the RFC Editor queue if that is the will of the WG.
>
> Russ
>
> At 03:13 PM 10/4/2005, Joseph Galbraith wrote:
>>> The examples in section 3.6 do not seem to match the key blob
>>> description in [I-D.ietf-secsh-transport], section 6.6, which says:
>>> >
>>> > The key type MUST always be explicitly known (from algorithm
>>> > negotiation or some other source). It is not normally included in
>>> > the key blob.
>>
>> Argh....
>>
>> This statement in the transport draft is wrong!
>> (Unless I'm somehow not understanding what
>> it means.)
>>
>> "ssh-dss" and "ssh-rsa" keys (the only keys actually
>> specified by the transport, both specify the key
>> type in the key blob.
>>
>> As in (from 6.6 in transport)
>>
>> The "ssh-dss" key format has the following specific encoding:
>>
>> string "ssh-dss"
>> mpint p
>> mpint q
>> mpint g
>> mpint y
>>
>> Or (again 6.6):
>>
>> The "ssh-rsa" key format has the following specific encoding:
>>
>> string "ssh-rsa"
>> mpint e
>> mpint n
>>
>>
>>> But in this context, it is needed. This document should make this
>>> clear with a MUST statement. Note that it is included in each of
>>> the examples. I base64 decoded them and checked.
>>
>> It is only there because the transport draft
>> specifies that ssh-dss and ssh-rsa key blobs have it.
>>
>> The x.509 draft also specifies that it should be there
>> for x.509 keys.
>>
>> The agent%openssh.com@localhost agent protocol requires it to be
>> there in order to operate correctly (though the expired
>> agent draft from the working group does not.)
>>
>> If it is not too late, I think that paragraph should
>> be removed from the transport draft. But it is probably
>> too late.
>>
>> Thanks,
>>
>> Joseph
>>
>
>
Home |
Main Index |
Thread Index |
Old Index