anyone using certificates with an empty principals section?

Ethan Heilman eth3rs at gmail.com
Thu Apr 9 04:53:35 AEST 2026 

Hi Damien/mailinglist

I am a little late to the party, having missed when this email was
originally posted.

OPKSSH ( https://github.com/openpubkey/opkssh/ )  relies on the wildcard
behavior of the empty principal in user SSH certificates.

OPKSSH:
1. Issues a user an SSH certificate containing user identity attestations
about the user.
2. User sshes as a particular principal with the SSH certificate. The SSH
certificate is sent to an AuthorizedKeysCommand that reads identity
attestations along with the desired principal from the SSH session and
checks if OPKSSH policy allows that identity to assume that principal.

Because we don't know the desired principal at ssh certificate issuance
time and the user may use the certificate for multiple principals, we must
rely on the principal flag being empty as a wildcard.

Would this impact SSH user certificates processed via
AuthorizedKeysCommand? I doubting I am the only project depending on this
functionality for access time policy evaluations of SSH certificates.

Thanks,
Ethan

On Wed, Apr 8, 2026 at 2:24 PM Ethan Heilman <eth3rs at gmail.com> wrote:

> Hi Damien,
>
> I am a little late to the party, having missed when this email was
> originally posted.
>
> OPKSSH ( https://github.com/openpubkey/opkssh/ )  relies on the wildcard
> behavior of the empty principal in user SSH certificates.
>
> OPKSSH:
> 1. Issues a user an SSH certificate containing user identity attestations
> about the user.
> 2. User sshes as a particular principal with the SSH certificate. The SSH
> certificate is sent to an AuthorizedKeysCommand that reads identity
> attestations along with the desired principal from the SSH session and
> checks if OPKSSH policy allows that identity to assume that principal.
>
> Because we don't know the desired principal at ssh certificate issuance
> time and the user may use the certificate for multiple principals, we must
> rely on the principal flag being empty as a wildcard.
>
> Would this impact SSH user certificates sent via  AuthorizedKeysCommand?
> I doubt I am the only project depending on this functionality for using
> access time policy evaluations of SSH certificates.
>
> Thanks,
> Ethan
>
>
>

More information about the openssh-unix-dev mailing list