[openssh-commits] [openssh] 02/02: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Tue May 3 20:29:21 AEST 2016 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit fa58208c6502dcce3e0daac0ca991ee657daf1f5
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue May 3 10:27:59 2016 +0000

    upstream commit
    
    correct some typos and remove a long-stale XXX note.
    
    add specification for ed25519 certificates
    
    mention no host certificate options/extensions are currently defined
    
    pointed out by Simon Tatham
    
    Upstream-ID: 7b535ab7dba3340b7d8210ede6791fdaefdf839a
---
 PROTOCOL.certkeys | 42 ++++++++++++++++++++++++++++++++----------
 1 file changed, 32 insertions(+), 10 deletions(-)

diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index c985910..aa6f5ae 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -100,9 +100,9 @@ DSA certificate
 
 ECDSA certificate
 
-    string    "ecdsa-sha2-nistp256 at openssh.com" |
-              "ecdsa-sha2-nistp384 at openssh.com" |
-              "ecdsa-sha2-nistp521 at openssh.com"
+    string    "ecdsa-sha2-nistp256-v01 at openssh.com" |
+              "ecdsa-sha2-nistp384-v01 at openssh.com" |
+              "ecdsa-sha2-nistp521-v01 at openssh.com"
     string    nonce
     string    curve
     string    public_key
@@ -118,6 +118,23 @@ ECDSA certificate
     string    signature key
     string    signature
 
+ED25519 certificate
+
+    string    "ssh-ed25519-cert-v01 at openssh.com"
+    string    nonce
+    string    pk
+    uint64    serial
+    uint32    type
+    string    key id
+    string    valid principals
+    uint64    valid after
+    uint64    valid before
+    string    critical options
+    string    extensions
+    string    reserved
+    string    signature key
+    string    signature
+
 The nonce field is a CA-provided random bitstring of arbitrary length
 (but typically 16 or 32 bytes) included to make attacks that depend on
 inducing collisions in the signature hash infeasible.
@@ -129,6 +146,9 @@ p, q, g, y are the DSA parameters as described in FIPS-186-2.
 curve and public key are respectively the ECDSA "[identifier]" and "Q"
 defined in section 3.1 of RFC5656.
 
+pk is the encoded Ed25519 public key as defined by
+draft-josefsson-eddsa-ed25519-03.
+
 serial is an optional certificate serial number set by the CA to
 provide an abbreviated way to refer to certificates from that CA.
 If a CA does not wish to number its certificates it must set this
@@ -146,7 +166,7 @@ strings packed inside it. These principals list the names for which this
 certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
 usernames for SSH_CERT_TYPE_USER certificates. As a special case, a
 zero-length "valid principals" field means the certificate is valid for
-any principal of the specified type. XXX DNS wildcards?
+any principal of the specified type.
 
 "valid after" and "valid before" specify a validity period for the
 certificate. Each represents a time in seconds since 1970-01-01
@@ -183,7 +203,7 @@ signature is computed over all preceding fields from the initial string
 up to, and including the signature key. Signatures are computed and
 encoded according to the rules defined for the CA's public key algorithm
 (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
-types).
+types), and draft-josefsson-eddsa-ed25519-03 for Ed25519.
 
 Critical options
 ----------------
@@ -203,8 +223,9 @@ option-specific information (see below). All options are
 "critical", if an implementation does not recognise a option
 then the validating party should refuse to accept the certificate.
 
-The supported options and the contents and structure of their
-data fields are:
+No critical options are defined for host certificates at present. The
+supported user certificate options and the contents and structure of
+their data fields are:
 
 Name                    Format        Description
 -----------------------------------------------------------------------------
@@ -233,8 +254,9 @@ as is the requirement that each name appear only once.
 If an implementation does not recognise an extension, then it should
 ignore it.
 
-The supported extensions and the contents and structure of their data
-fields are:
+No extensions are defined for host certificates at present. The
+supported user certificate extensions and the contents and structure of
+their data fields are:
 
 Name                    Format        Description
 -----------------------------------------------------------------------------
@@ -262,4 +284,4 @@ permit-user-rc          empty         Flag indicating that execution of
                                       of this script will not be permitted if
                                       this option is not present.
 
-$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.10 2016/05/03 10:27:59 djm Exp $

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list