Re: X.509

To: ietf-ssh%netbsd.org@localhost, , oskari%saarenmaa.fi@localhost
Subject: Re: X.509
From: pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann)
Date: Tue, 13 Mar 2007 18:37:10 +1300

Oskari Saarenmaa <oskari%saarenmaa.fi@localhost> writes:

>I recently submitted a new individual draft for ssh x509 which backs down
>from what we specified in the latest WG draft, and just specifies how we use
>certificates in our implementations.  It's available at
>http://tools.ietf.org/wg/secsh/draft-saarenmaa-ssh-x509-00.txt
>
>Any thoughts?

Further to my previous comments, the text in the Implementation Considerations
section seems a bit misplaced.  Firstly, it's already subsumed by the "refer
to PKI standards" requirement in the Security Considerations, so it's
redundant.  Secondly, I would both hope that any implementation that doesn't
implement a verification algorithm would fail to verify the certificate that
uses it, and can't really see why this would be singled out for special
attention when there are lots of other things that also need to be checked.
Finally, to be nit-picky, you need to verify up to a trust anchor, which isn't
necessarily "all the certificates in the chain".

For all of the above, the appropriate solution seems to be to remove this
section, since it's already more than covered by the requirement in section 7.

Is anyone running a test SSH server that implements this authentication
mechanism?  I'd like to have something to test against...

Peter.

Follow-Ups:
- Re: X.509
  - From: Roumen Petrov

Prev by Date: RFC 4819 on Secure Shell Public Key Subsystem
Next by Date: Re: X.509
Previous by Thread: Re: X.509
Next by Thread: Re: X.509
Indexes:

Home | Main Index | Thread Index | Old Index