[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Jun 18 01:50:06 AEST 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3577

xspielinbox+mindrot at protonmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|CASignatureAlgorithms       |CASignatureAlgorithms
                   |supports -cert alogrithms   |supports -cert algorithms
                   |                            |when used alongside with
                   |                            |other options

--- Comment #1 from xspielinbox+mindrot at protonmail.com ---
To clarify:
When only configuring one of the -cert algorithms with
CASignatureAlgorithms, one gets an error, that the configuration is
invalid, but when adding them alongside some other algorithm, they are
supported.

However, when signing a user certificate with an CA, ssh-keygen -L will
always list the non -cert (the "normal" variant so to speak) as the
algorithm behing "using" in the Signing CA. So e.g. for a ed25519 CA:
Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA
(using ssh-ed25519)
I would not know how to get something that would then have:
Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA
(using ssh-ed25519-cert)

As this algorithm in my understanding is the one

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list