IETF Logo Mail Archive

Re: [netmod] SSH keys - draft-ietf-netmod-system-mgmt

nisse@lysator.liu.se (Niels Möller ) Wed, 30 April 2014 20:06 UTC

Return-Path: <nisse@lysator.liu.se>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 519B61A097D for <netmod@ietfa.amsl.com>; Wed, 30 Apr 2014 13:06:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.122
X-Spam-Level:
X-Spam-Status: No, score=-1.122 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.651, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wcy7MsimEx_9 for <netmod@ietfa.amsl.com>; Wed, 30 Apr 2014 13:06:24 -0700 (PDT)
Received: from bacon.lysator.liu.se (bacon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::ce]) by ietfa.amsl.com (Postfix) with ESMTP id 4F8541A0972 for <netmod@ietf.org>; Wed, 30 Apr 2014 13:06:21 -0700 (PDT)
Received: from bacon.lysator.liu.se (localhost [127.0.0.1]) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5) with ESMTP id s3UK68KY009766; Wed, 30 Apr 2014 22:06:08 +0200 (MEST)
Received: (from nisse@localhost) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5/Submit) id s3UK66oK009765; Wed, 30 Apr 2014 22:06:06 +0200 (MEST)
X-Authentication-Warning: bacon.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f
From: nisse@lysator.liu.se
To: Jeffrey Hutzelman <jhutz@cmu.edu>
References: <20140429.220505.221212226.mbj@tail-f.com> <nnlhunqplp.fsf@bacon.lysator.liu.se> <1398875570.20380.20.camel@destiny.pc.cs.cmu.edu>
Date: Wed, 30 Apr 2014 22:06:06 +0200
In-Reply-To: <1398875570.20380.20.camel@destiny.pc.cs.cmu.edu> (Jeffrey Hutzelman's message of "Wed, 30 Apr 2014 12:32:50 -0400")
Message-ID: <nnha5ar39t.fsf@bacon.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (usg-unix-v)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/netmod/VnecKuSbfFx8B7-t1hipMv5vaLw
Cc: ietf-ssh@NetBSD.org, netmod@ietf.org
Subject: Re: [netmod] SSH keys - draft-ietf-netmod-system-mgmt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 20:06:26 -0000

Jeffrey Hutzelman <jhutz@cmu.edu> writes:

> On Wed, 2014-04-30 at 08:49 +0200, Niels Möller wrote:
>> >     However, if we also keep the leaf algorithm, we need to specify
>> >     what happens if the leaf algorithm has a value that is different
>> >     from the value embedded in the key blob.
>> 
>> Right, eliminating this redundancy makes things simpler.
>
> It would, except you can't eliminate it.

Hmm. I think you're right. So then then the "algorithm" leaf would be
the name being used in algorithm negotiation and the like, and the "key"
leaf would be the key blob. The key blob typically starts with a string
containing the algorithm identifier, but nothing but the ssh
implementation is expected to care about that detail.

So then the right choice is 1),

: 1)  Clarify that the leaf "key-data" contains:
: 
:          string    certificate or public key format identifier
:          byte[n]   key/certificate data
: 
:     This allows for simple copy-and-paste from normal open ssh and
:     rfc4716 files.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

v2.23.0 | Report a Bug | By Email