[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Jun 18 01:50:06 AEST 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3577
xspielinbox+mindrot at protonmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|CASignatureAlgorithms |CASignatureAlgorithms
|supports -cert alogrithms |supports -cert algorithms
| |when used alongside with
| |other options
--- Comment #1 from xspielinbox+mindrot at protonmail.com ---
To clarify:
When only configuring one of the -cert algorithms with
CASignatureAlgorithms, one gets an error, that the configuration is
invalid, but when adding them alongside some other algorithm, they are
supported.
However, when signing a user certificate with an CA, ssh-keygen -L will
always list the non -cert (the "normal" variant so to speak) as the
algorithm behing "using" in the Signing CA. So e.g. for a ed25519 CA:
Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA
(using ssh-ed25519)
I would not know how to get something that would then have:
Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA
(using ssh-ed25519-cert)
As this algorithm in my understanding is the one
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list