[ssh_x509] Support for x509v3-rsa2048-sha256?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue May 7 17:36:55 EEST 2019


 Roumen thanks for your reply. Now that you have released 12.0 with the algorithm centric code, does that mean that I could specify an x509v3-ssh-rsa with SHA256 instead of SHA1? As for how other implementations, I do see there isn't much out there that supports it. I see an old question on your mailer that refers to Maverick supporting it. The only other implementation I have found is SmartFTP which I've never used before. Indeed, not a widely implemented algorithm.
Thanks,Alex 


    On Saturday, April 6, 2019, 6:43:55 AM EDT, <ssh_x509 at roumenpetrov.info> wrote:  
 
 Hi Alex,

> Hi Roumen,
> I checked your archives and saw that this was asked about two years ago and at the time you were not yet adding x509v3-rsa2048-sha25 to PKIX-SSH. I was wondering if that support had moved up on your roadmap at all.
It is open-source project and fastest way go get some functionality is 
to propose a patch. Also near one year as source is managed in public 
repository (GitLab).


Long story is how algorithms ware implemented. From developer point of 
adding new item to "key type" enumeration is simple and fast way to 
implement new algorithm.
This approach was use more then 15 year ago. Implementation is changed 
(slowly) in another direction - to be "algorithm centric". Since long 
time on client side key material (key type) could be used in many 
algorithms. Version 11.0, released 1.5 years ago, was first what offers 
similar functionality for host (server) keys.

I note benefit of "algorithm centric" with implementation of 
"rsa-sha2-256" or "rsa-sha2-512". In origin version it costs more then 
four releases to get it working. Similar for custom certificates based 
on rsa-sha2-256 - at least two releases.

Soon I will finish transition to fully "algorithm centric" code. This s 
one of commits - 
https://gitlab.com/secsh/pkixssh/commit/202143d6df346c617c21a06e7150d7ea73db16cd 
. Another one(s) will be commited soon and will be in next release 12.0.
So release 12.0 will be fully "algorithm centric".


After release we could thing more how to implement extra algorithms.

Main issue with  x509v3-rsa2048-sha256 is compatibility testing. For instance x509v3-ssh-rsa, x509v3-ecdsa-sha2-* and x509v3-ssh-dss are tested with other implementations.

How to test x509v3-rsa2048-sha256?

> Thanks,
> Alex

Roumen


_______________________________________________
ssh_x509 mailing list
ssh_x509 at roumenpetrov.info
http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
  


More information about the ssh_x509 mailing list