Re: drasft-green--secsh-ecc-08 support for certificates

To: Douglas Stebila <douglas%stebila.ca@localhost>
Subject: Re: drasft-green--secsh-ecc-08 support for certificates
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Fri, 19 Jun 2009 18:29:54 -0500

On Fri, Jun 19, 2009 at 09:12:56AM +1000, Douglas Stebila wrote:
> > Suite B plans to be conservative and require the use of certificates
> >for both the server (sent in the SSH_MSG_KEX_ECDH_REPLY) and client
> >(sent in the SSH_MSG_USERAUTH_REQUEST).
> >
> >As described in section 7 of RFC 4252, SSH_MSG_USERAUTH_REQUEST  
> >supports
> >a "public key blob" for use in transporting the certificate:

I hadn't noticed this earlier.

There's no way to "require" the use of certificates for either the
server, nor the client host, nor the client user, in SSHv2 _today_ with
the existing SSHv2 algorithm names and specs.  To send a cert ina public
key blob slot would not interoperate.

The thing to do is to revive the SSHv2 w/ PKIX document(s) and progress
them.  That means adding new SSHv2 host and hostbased/pubkey user
authentication algorithm names that send certs (and OSCP responses,
...).  Alternatively push for completion of PKU2U and use that via SSHv2
w/ GSS-API key exchange and/or userauth.

Once those are done, requiring the use of certificates with SSHv2, using
those extensions, in any environment would be fine.

Nico
--

References:
- Re: drasft-green--secsh-ecc-08 support for certificates
  - From: Douglas Stebila

Prev by Date: Re: drasft-green--secsh-ecc-08 support for certificates
Next by Date: Re: drasft-green--secsh-ecc-08 support for certificates
Previous by Thread: Re: drasft-green--secsh-ecc-08 support for certificates
Next by Thread: sftp open directory
Indexes:

Home | Main Index | Thread Index | Old Index