revised cert format and deprecation schedule

Iain Morgan imorgan at
Tue Apr 20 04:13:11 EST 2010

On Fri, Apr 16, 2010 at 01:29:06 -0500, Damien Miller wrote:
> There are basically three goals:
> 1) Develop OpenSSH certificates until they solve enough of the use-cases
>    to be a compelling substitute for X.509 certs for a substantial
>    number of users. This may require occasional backwards-incompatible
>    changes.
> 2) Don't burn our early adopters by breaking their working
>    configurations without ample warning.
> 3) Avoid having to be stuck with maintaining backwards compatibility
>    code in perpetuity. This is for both workload and security reasons;
>    more twisty compat code == more bugs.
> So my working, self-imposed policy is to retain backwards compatibility
> support for at least 13 months after the release that includes an
> incompatible change. This duration is intended to let users sign certs
> of one year duration and know that an OpenSSH release won't break them
> in their life time. A corollary of this is that you shouldn't sign certs
> that have an expiry date more than one year in the future if you want to
> be able to upgrade to the latest version at will.
> As an example, our next release will include the above incompatible
> change and will likely be made some time around July. Following this
> plan, I'll remove support for the v00 certificate format in the next
> release after August 2011.
> Hopefully this provides enough clarity for people to start using this
> certificate support with some confidence that we won't break it at
> random.
> Naturally this policy is open for discussion, but I'd prefer that the
> discussion happen *now* rather than when we are preparing for the
> release in late 2011. So have at it :)
> -d

Hi Damien,

For now this seems like a reasonable policy, particularly as the
certificate support has only been recently been introduced. However, I'm
a little concerned as to what will happen when OS vendors start to adopt
versions of OpenSSH with this support.

For example, one vendor might ship an OS with 5.5p1 while another vendor
might ship 5.9p1. These two versions would presumably have mutually
incompatible certificate support.

It's conceivable that in a heterogeneous environment there may be
several versions of OpenSSH in use and the version supplied by vendor X
may ben incompatible (with regards to the certificate support) with the
version supplied by vendor Y.

The desire to remove support for obsolete formats is understandable and
laudable, but I suspect that at some point you may need to extend the
timeframe from 13 months to something more on the order of two or three
years. Hopefully there won't be a need for frequent revisions to the
format, so this may be a moot point.

In any case, I imagine you've already considered this.


Iain Morgan

More information about the openssh-unix-dev mailing list