Re: OpenSSH certified keys

[Roumen Petrov <openssh%roumenpetrov.info@localhost>]

Hi Jeffrey,

Damien Miller wrote:
> On Tue, 16 Mar 2010, Jeffrey Hutzelman wrote:
> > --On Wednesday, March 17, 2010 04:19:28 AM +1100 Damien Miller
> > <djm%mindrot.org@localhost>  wrote:
> >
> > > OpenSSH 5.4p1 introduced a novel, lightweight certificate format for
> > > user and host keys. [SNIP]
> >
> > That's unfortunate, because it's what the rest of the world already has as its
> > infrastructure.  By not supporting it, you force people to choose between
> > supporting your odd, proprietary, unproven certificate format or not getting
> > to use certificates at all.  Guess which one anyone with more than 5 machines
> > is going to choose?
> >
> > OpenSSH would be a lot more useful if it supported the same authentication
> > mechanisms as the rest of the world.
>
> Well, unfortunately we consider the additional complexity and attack surface
> added by X.509 to be too great. That being said, there are well-maintained
> 3rd party patches to OpenSSH that support X.509 certificates if users have
> a need that isn't supported by this mechanism.

I think that one of issue to previous drafts (O. Saarenmaa and J. 
Galbraith) as Damien point to this list was that ssh server has to parse 
asn.1.
If I understand Damien most acceptable is solution is if ssh could read 
without to process(parse) certificate(s) data and to pass to external 
system for further processing.
Damien ?

The recent draft (K. Igoe and D. Stebile 
http://tools.ietf.org/html/draft-igoe-secsh-x509v3-01 ) didn't resolve 
this issue.

[SNIP]

Roumen