Re: x.509 signature clarification?

To: "Joseph Galbraith" <galb-list%vandyke.com@localhost>
Subject: Re: x.509 signature clarification?
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: 07 Jul 2001 09:26:39 +0200

"Joseph Galbraith" <galb-list%vandyke.com@localhost> writes:

> Looking at RFC 2459, it appears that it describes the profile
> for x.509 certificates, but doesn't really specify anything about 
> signature encoding.  I think this reference can be dropped.
> 
> For x.509 certificates using rsa keys, SSH Communications 3.0
> appears to be using PKCS #1 with MD5.  I'm not sure what they
> are doing for DSS signatures.

I think it would make sense to use the same signature encoding as for
ssh-rsa.

> I'm tempted to suggest that the signature is in PKCS #7
> format, though this seems to be a bit of an overkill...

Do you think there's something wrong with the encoding used for
ssh-rsa and ssh-dss? If not, I think it is a bad idea to add
complexity by adding yet another encoding for the same thing.

I don't have any plans to support x.509 at all in the foreseeable
future, but if I did, I would want a single function for doing x.509:
I'd pass a the ssh "key-blob" and a "resource accessed" id (typically
username or hostname) to the x.509 code, and get back the public key,
or NULL if certificate and local configuration did not imply access
rights.

>From then on, I'd like to be able to treat it as a vanilla rsa/dss key
and forget about x.509.

Regards,
/Niels

References:
- x.509 signature clarification?
  - From: Joseph Galbraith

Prev by Date: Re: x.509 signature clarification?
Next by Date: Re: x.509 signature clarification?
Previous by Thread: Re: x.509 signature clarification?
Next by Thread: Re: x.509 signature clarification?
Indexes:

Home | Main Index | Thread Index | Old Index