IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: drasft-green--secsh-ecc-08 support for certificates



On Fri, Jun 19, 2009 at 06:25:51PM -0400, Jeffrey Hutzelman wrote:
> --On Friday, June 19, 2009 04:56:43 PM -0500 Nicolas Williams 
> <Nicolas.Williams%sun.com@localhost> wrote:
> >Oh come on Jeff!  This, from an author of RFC4462?

I had meant to add a smiley there...

> >I think SSHv2 extensions to allow the use of PKIX certificates for host
> >and/or user authentication (and key transport!) would have their place.
> 
> So do I, and I would very much like to see that work happen.  However, to 
> date, there hasn't been enough interest in doing the work, from people with 
> cycles to do it, for it to actually get done.  I hope no one misinterpreted 
> me as saying that no one would be interested in having it; that is 
> certainly not the case.
> 
> However, my concern is not about defining ways to use certificates with 
> SSH, but about promulgating standards that require their use,

RFC4462 doesn't require the use of GSS-API mechanisms for authentication
either.  If the doc at hand does then you're right, that'd be bad, but
it's hard to believe that it does.

In fact, I just checked and: a) it does not even provide a way to send
certificates, b) much less does it require their use.

All the I-D says about certificates is:

...
      *Verify host key belongs to server.
...
   *It is recommended that the client verify that the host key sent is
   the server's host key (using certificates or a local database).  ...

The "using certificates or a local database" part is repeated once more.

You seem to have interpreted that as meaning that the cert should be
sent instead of just the key, but section 3.1 (Key Format) makes it
clear that that's not the case.

I take the above text to mean that the client should look for a
certificate whose subject public key matches the server's key.  but
that's not a trivial operation (since there's no usually no directories
that can be searched by subject public key).  Therefore I consider that
suggestion to be rather useless at best, ambiguous at worst.

Nico
-- 



Home | Main Index | Thread Index | Old Index