Certificate spec anomaly?

Michael Ströder michael at stroeder.com
Tue Sep 20 05:23:44 AEST 2022


On 9/19/22 20:57, Brian Candler wrote:
> On the other hand, the spec at 
> https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.19&content-type=text/x-cvsweb-markup says:
> 
>  > As a special case, a zero-length "valid principals" field means the 
> certificate is valid for any principal of the specified type.

I cannot imagine any reasonable rationale for that.

> I think the behaviour of sshd is sane and sensible. A 
> "super-certificate" which can impersonate any user (or any host[^2]) 
> seems like a dangerous thing to me;

+1

In general a digital certificate is a signed statement by a CA saying: 
"This public key belongs to this name/ID. Trust me!"

Thus if there's no name or ID in the certificate it's not a valid 
certificate.

> I wonder if the protocol documentation is out of step,

IMO yes.

Ciao, Michael.



More information about the openssh-unix-dev mailing list