IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: X.509



Oskari Saarenmaa <oskari%saarenmaa.fi@localhost> writes:

>I recently submitted a new individual draft for ssh x509 which backs down
>from what we specified in the latest WG draft, and just specifies how we use
>certificates in our implementations.  It's available at
>http://tools.ietf.org/wg/secsh/draft-saarenmaa-ssh-x509-00.txt
>
>Any thoughts?

Further to my previous comments, the text in the Implementation Considerations
section seems a bit misplaced.  Firstly, it's already subsumed by the "refer
to PKI standards" requirement in the Security Considerations, so it's
redundant.  Secondly, I would both hope that any implementation that doesn't
implement a verification algorithm would fail to verify the certificate that
uses it, and can't really see why this would be singled out for special
attention when there are lots of other things that also need to be checked.
Finally, to be nit-picky, you need to verify up to a trust anchor, which isn't
necessarily "all the certificates in the chain".

For all of the above, the appropriate solution seems to be to remove this
section, since it's already more than covered by the requirement in section 7.

Is anyone running a test SSH server that implements this authentication
mechanism?  I'd like to have something to test against...

Peter.




Home | Main Index | Thread Index | Old Index