Q on X.509 authentication in SSH draft

To: ietf-ssh%NetBSD.org@localhost
Subject: Q on X.509 authentication in SSH draft
From: Jan Pechanec <Jan.Pechanec%Sun.COM@localhost>
Date: Thu, 03 Jan 2008 17:53:32 +0100 (CET)

	hi, in 4.1 section of draft-ietf-secsh-x509-03.txt[1], where 
"x509v3-sign" format is defined, there is this sentence:

>The first certificate in the list MUST be the end-entity one, and any
>other certificates MUST be part of the end-entity certificate's path.

	depending on CA policy, not all certificates need to be accompanied 
with an OCSP response, but could it be assumed that OCSP response list is 
"sorted" according to certificates supplied? It means that one could just go 
through the certificate list and check the first not yet processed OCSP 
response for match whether it is the only SingleResponse in OCSP response or 
the first unprocessed SingleResponse as part of one OCSP response.

	I also assume that the certificate list is "sorted" but neither that 
is explicitly defined there and I think it should be.

	I don't see any problem for the party being authenticated to sent an 
already sorted list of OCSP responses. Well, I could live with the unsorted 
list, too, but the sorted list is just more efficient if we consider a long 
validation path. What is more important I think is that it would be nice if 
this is explicitly specified there.


	anyway, given all the options how it could be done, I'm thinking 
that it would be simpler to use a pair of strings for every certificate - 
the certificate itself and an optional OCSP response which could be an empty 
string. And it would be sorted for use of PKIX validation path algorithm. It 
wouldn't increase the length of the data much in comparison to the length of 
the certificates and one could easily separate them into two sorted list if 
needed.

	string "x509v3-sign"
	uint32  number of certificate/OCSP response pairs
	string  DER encoded X.509v3 certificate data
	string  optional OCSP response data
	string  DER encoded X.509v3 certificate data
	string  optional OCSP response data
	...

	
	thanks, Jan.

[1] http://www3.ietf.org/proceedings/06mar/IDs/draft-ietf-secsh-x509-03.txt

-- 
Jan Pechanec

Follow-Ups:
- Re: Q on X.509 authentication in SSH draft
  - From: Jan Pechanec

Prev by Date: Adding new algorithms to the Ciphers property in the ssh config file.
Next by Date: Re: Q on X.509 authentication in SSH draft
Previous by Thread: Adding new algorithms to the Ciphers property in the ssh config file.
Next by Thread: Re: Q on X.509 authentication in SSH draft
Indexes:

Home | Main Index | Thread Index | Old Index