Re: SSH keys - draft-ietf-netmod-system-mgmt

To: Martin Bjorklund <mbj%tail-f.com@localhost>
Subject: Re: SSH keys - draft-ietf-netmod-system-mgmt
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: Wed, 30 Apr 2014 08:49:06 +0200

Martin Bjorklund <mbj%tail-f.com@localhost> writes:

> 1)  Clarify that the leaf "key-data" contains:
>
>          string    certificate or public key format identifier
>          byte[n]   key/certificate data
>
>     This allows for simple copy-and-paste from normal open ssh and
>     rfc4716 files.
>
>     However, if we also keep the leaf algorithm, we need to specify
>     what happens if the leaf algorithm has a value that is different
>     from the value embedded in the key blob.

Right, eliminating this redundancy makes things simpler.

> 2)  Like 1, but remove the "leaf algorithm".

I'm not sure I understand the context, but this sounds like the best
option to me. If one wants a human-readable algorithm identifier, one
could include that in the name field (but ideally, any tools handling
this data should be able to extract the algorithm id from the key blob).

> 3)  Keep "leaf algorithm" and specify that the leaf "key-data" contains:
>
>          byte[n]   key/certificate data
>
>     This is NOT copy-and-paste friendly and probably pretty
>     confusing to operators.

I would recommend *not* picking apart the ssh key (unless you really
want to convert it to some other reasonable representation, say, an
spki-style s-expression).

> Some other issues, probably less important.
>
> o  If we do 1 or 2 above, is the name "key-data" really correct;
>    shouldn't it be changed to just "key", in order to use the same
>    terminology as RFC 4253:

Makes sense.

> o  Should list "ssh-key" be called "ssh-public-key"?
>
>    The description says it is public keys only, so shouldn't this be
>    reflected in the name of the list?

I think it would make more sense to have a name that reflects the
*purpose* of the list of keys, rather than just the data type. E.g., if
it's authorization keys for logging in to the users account, it could be
"authorized-ssh-keys" or something like that.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

Follow-Ups:
- Re: SSH keys - draft-ietf-netmod-system-mgmt
  - From: Jeffrey Hutzelman

References:
- SSH keys - draft-ietf-netmod-system-mgmt
  - From: Martin Bjorklund

Prev by Date: SSH keys - draft-ietf-netmod-system-mgmt
Next by Date: Re: SSH keys - draft-ietf-netmod-system-mgmt
Previous by Thread: SSH keys - draft-ietf-netmod-system-mgmt
Next by Thread: Re: SSH keys - draft-ietf-netmod-system-mgmt
Indexes:

Home | Main Index | Thread Index | Old Index