IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: DISCUSS comments on publickeyfile-09



Comments from others?

>    The key type MUST always be explicitly known (from algorithm
>    negotiation or some other source).  It is not normally included in
>    the key blob.
> 
>    Certificates and public keys are encoded as follows:
>       string    certificate or public key format identifier
>       byte[n]   key/certificate data
> 

The first paragraph definitely seems in conflict with
the second, since the second clearly states that
a public key or certificate has a type identifier...
add to that the fact that all the currently
defined public-key types also include the
identifier...

I think we should strike the first paragraph.

Thoughts?

Thanks,

Joseph


Russ Housley wrote:
> It is not too late to fix the [I-D.ietf-secsh-transport] document if the
> WG consensus is that the paragraph is incorrect.  It is up to the WG
> chair to work with Sam and I to get this changed while it is still in
> the RFC Editor queue if that is the will of the WG.
> 
> Russ
> 
> At 03:13 PM 10/4/2005, Joseph Galbraith wrote:
>>>    The examples in section 3.6 do not seem to match the key blob
>>>    description in [I-D.ietf-secsh-transport], section 6.6, which says:
>>>    >
>>>    > The key type MUST always be explicitly known (from algorithm
>>>    > negotiation or some other source).  It is not normally included in
>>>    > the key blob.
>>
>> Argh....
>>
>> This statement in the transport draft is wrong!
>> (Unless I'm somehow not understanding what
>> it means.)
>>
>> "ssh-dss" and "ssh-rsa" keys (the only keys actually
>> specified by the transport, both specify the key
>> type in the key blob.
>>
>> As in (from 6.6 in transport)
>>
>>   The "ssh-dss" key format has the following specific encoding:
>>
>>       string    "ssh-dss"
>>       mpint     p
>>       mpint     q
>>       mpint     g
>>       mpint     y
>>
>> Or (again 6.6):
>>
>>    The "ssh-rsa" key format has the following specific encoding:
>>
>>       string    "ssh-rsa"
>>       mpint     e
>>       mpint     n
>>
>>
>>>    But in this context, it is needed.  This document should make this
>>>    clear with a MUST statement.  Note that it is included in each of
>>>    the examples.  I base64 decoded them and checked.
>>
>> It is only there because the transport draft
>> specifies that ssh-dss and ssh-rsa key blobs have it.
>>
>> The x.509 draft also specifies that it should be there
>> for x.509 keys.
>>
>> The agent%openssh.com@localhost agent protocol requires it to be
>> there in order to operate correctly (though the expired
>> agent draft from the working group does not.)
>>
>> If it is not too late, I think that paragraph should
>> be removed from the transport draft.  But it is probably
>> too late.
>>
>> Thanks,
>>
>> Joseph
>>
> 
> 




Home | Main Index | Thread Index | Old Index