Certificate spec anomaly?
Michael Ströder
michael at stroeder.com
Tue Sep 20 05:23:44 AEST 2022
On 9/19/22 20:57, Brian Candler wrote:
> On the other hand, the spec at
> https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.19&content-type=text/x-cvsweb-markup says:
>
> > As a special case, a zero-length "valid principals" field means the
> certificate is valid for any principal of the specified type.
I cannot imagine any reasonable rationale for that.
> I think the behaviour of sshd is sane and sensible. A
> "super-certificate" which can impersonate any user (or any host[^2])
> seems like a dangerous thing to me;
+1
In general a digital certificate is a signed statement by a CA saying:
"This public key belongs to this name/ID. Trust me!"
Thus if there's no name or ID in the certificate it's not a valid
certificate.
> I wonder if the protocol documentation is out of step,
IMO yes.
Ciao, Michael.
More information about the openssh-unix-dev
mailing list