[ssh_x509] Clarification on alignment with RFC6187

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Nov 29 18:13:53 EET 2016


Hi Roumen and Daniel,

Thank you for the clarification, I think I'm beginning to understand
everything but now I would like to know if it's possible to use
x509v3-ssh-dss and x509v-ssh-rsa with PKIX-SSH. It sounds like these
algorithms are not supported currently since the full cert chain isn't
included with x509v3-sign-rsa and x509v3-sign-dss. Is that correct?

-Peter


On Mon, Nov 28, 2016 at 4:29 PM, <ssh_x509 at roumenpetrov.info> wrote:

> ssh_x509 at roumenpetrov.info wrote:
>
>> Hi,
>>
>> I'm trying to understand how the public key algorithms stated in the
>> features list: x509v3-sign-rsa and x509v3-sign-dss, match up with the
>> algorithms x509v3-ssh-dss and x509v-ssh-rsa, defined in section 3.1 and
>> 3.2
>> of RFC6187. Is it just a difference in naming convention with the RFC or
>> is
>> there something else?
>>
> Legacy formats are described as required in https://tools.ietf.org/html/dr
> aft-ietf-secsh-transport-12
>
> Format is : "
> Certificates and public keys are encoded as follows:
>      string   certificate or public key format identifier
>      byte[n]  key/certificate data
> ...
> The "x509v3-sign-rsa" method indicates that the certificates, the
>    public key, and the resulting signature are in X.509v3 compatible
>    DER-encoded format.  The formats used in X.509v3 is described in
>    [RFC2459].
> "
>
> In draft version 13 signature is changed to "Public key / certifcate
> formats that do not explicitly specify a signature format identifier MUST
> use the public key / certificate format identifier as the signature
> identifier."
>
>
> From drafts  is not clear how implement but ssh.com use rsa with sha1
> while vandyke.com use md5. PKIX-SSH switch to sha1 in version 7.1.
> Also for dss signature vandyke.com use asn1 encoding (X.509 format) while
> ssh.com use raw network format (SSH format).
>
> Those differences are managed with PKIX-SSH option X509KeyAlgorithm.
>
> Thank you,
>>
>> Peter
>>
>> Regards,
> Roumen
>
> --
> Secure shell with X.509 certificate support
> http://roumenpetrov.info/secsh/
>
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>



More information about the ssh_x509 mailing list