Re: draft-igoe-secsh-x509v3-00
Joseph Galbraith <galb-list@vandyke.com> Thu, 19 November 2009 00:52 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 36EBE3A6886 for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 18 Nov 2009 16:52:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ep-rCYR+oYUd for <ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com>; Wed, 18 Nov 2009 16:52:10 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe52:9ab6]) by core3.amsl.com (Postfix) with ESMTP id E44683A6842 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 18 Nov 2009 16:52:08 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 0) id 9F4EA63B10C; Thu, 19 Nov 2009 00:51:55 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from vandyke.com (mail.vandyke.com [216.184.10.33]) by mail.netbsd.org (Postfix) with ESMTP id 539D663B100 for <ietf-ssh@netbsd.org>; Thu, 19 Nov 2009 00:51:53 +0000 (UTC)
Received: from [192.168.1.193] (account galb [192.168.1.193] verified) by vandyke.com (CommuniGate Pro SMTP 5.0.9) with ESMTPA id 5793356; Wed, 18 Nov 2009 16:51:51 -0700
Message-ID: <4B048844.4040405@vandyke.com>
Date: Wed, 18 Nov 2009 16:50:28 -0700
From: Joseph Galbraith <galb-list@vandyke.com>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: "Igoe, Kevin M." <kmigoe@nsa.gov>
CC: ietf-ssh@NetBSD.org
Subject: Re: draft-igoe-secsh-x509v3-00
References: <80F9AC969A517A4DA0DE3E7CF74CC1BB0349B5@MSIS-GH1-UEA06.corp.nsa.gov>
In-Reply-To: <80F9AC969A517A4DA0DE3E7CF74CC1BB0349B5@MSIS-GH1-UEA06.corp.nsa.gov>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
Igoe, Kevin M. wrote: > Colleagues: > > I'd like to call your attention to the following draft submission for > X.509 certificates in Secure Shell: > > http://www.ietf.org/id/draft-igoe-secsh-x509v3-00.txt > > > Your comments, suggestions and insights are appreciated! Thanks for picking this work up. I'm definitely interested in seeing this move forward, and I know I've had a number of people express interest in this work as well. I think this draft needs to spell out, explicitly, various formats. For example, > The key format has the following specific encoding: > > string "x509v3-ssh-dss" / "x509v3-ssh-rsa" / > "x509v3-ecdsa-sha2-*" / "x509v3-ecmqv-sha2" > string certificate-chain > > A certificate-chain is a DER-encoded ASN.1 SEQUENCE of certificates. I suppose you might omit the second string and embed the ASN.1 sequence directly, but usually SSH wraps that kind of data in a string. Notice the algorithm name is encoded into the publickey. This is the way ssh-dss and ssh-rsa work, but not the way the (undocumented) de-facto x509 implementation that is currently floating around works. (And in case it isn't obvious, I think it should work like the existing algorithms and encode the algorithm name in the publickey.) It might be more SSH friendly to encode the chain using SSH rather than ASN.1: > The "x509v3-ssh-dss" key format has the following specific encoding: > > string "x509v3-ssh-dss" / "x509v3-ssh-rsa" / > "x509v3-ecdsa-sha2-*" / "x509v3-ecmqv-sha2" > uint32 certificate-count > string certificate[1..certificate-count] I'd also include an example, just because we've had a number of implementation problems in this area (the string nesting can be a little confusing.) > byte SSH_MSG_KEXDH_REPLY > string 0x00 0x00 0xXX 0xXX > 0x00 0x00 0x00 0x0D "x509v3-ssh-dss" > 0x00 0x00 0x00 0x02 > 0x00 0x00 0xXX 0xXX DER-encoded senders certificate > 0x00 0x00 0xXX 0xXX DER-encoded issuer certificate > mpint f > string signature of H I think we also need to document signature algorithms. > Signing and verifying using the "x509v3-ssh-dss" key format > is done according to the Digital Signature Standard [FIPS-186-2] > using the SHA-1 hash [FIPS-180-2]. > > The resulting signature is encoded as follows: > > string "ssh-dss" > string dss_signature_blob > > The value for 'dss_signature_blob' is encoded as a string containing > r, followed by s (which are 160-bit integers, without lengths or > padding, unsigned, and in network byte order). > > Signing and verifying using the "x509v3-ssh-rsa" key format > is performed according to the RSASSA-PKCS1-v1_5 scheme in > [RFC3447] using the SHA-1 hash. > > The resulting signature is encoded as follows: > > string "ssh-rsa" > string rsa_signature_blob > > The value for 'rsa_signature_blob' is encoded as a string containing > s (which is an integer, without lengths or padding, unsigned, and in > network byte order). > > These formats are that same as "ssh-rsa" and "ssh-dss", see RFC 4253, > 6.6. Public Key Algorithms You'll probably also need details for "x509v3-ecdsa-sha2-*" and "x509v3-ecmqv-sha2" signature encodings. (And I assumed you wanted to use the existing encodings for signatures-- if not, you'll need to spell something different out.) In addition, in your "IANA Considerations", you specified that there were new entries in the key exchange algorithms, but I don't think you actually introduced any new key exchange algorithms did you? These are just new public key types that can be used in combination with any of the existing key exchange algorithms. Other miscellaneous thoughts: o Do we want to require processing of (or give guidance with regards to) any extensions, such as BasicConstraints, KeyUsage, and SubjectAltName? o Do we need language about respecting critical extensions or rejecting the certificate? o Do we want to define any extended key usage key purpose ids? o When we were working on x509v3 before, people seemed to want to include revocation data as well as chain data; I was never quite sure whether this was really needed or if it was gold plating, so to speak. I'm more than happy to see any of these discarded as unneeded fluff... to be honest, I know a lot about SSH, but not so much about x509, so these thoughts mostly reflect feedback I was given when working on the (now abandoned) x509v3 draft (http://tools.ietf.org/html/draft-ietf-secsh-x509-03) o We should require the first certificate in a chain to use the correct type of key (i.e., it must have a rsa key if it is a "x509v3-ssh-rsa".) Thanks, Joseph
- draft-igoe-secsh-x509v3-00 Igoe, Kevin M.
- Re: draft-igoe-secsh-x509v3-00 Joseph Galbraith
- Re: draft-igoe-secsh-x509v3-00 Jeffrey Hutzelman
- Re: draft-igoe-secsh-x509v3-00 Joseph Galbraith
- Re: draft-igoe-secsh-x509v3-00 Jeffrey Hutzelman
- Re: draft-igoe-secsh-x509v3-00 Douglas Stebila
- Re: draft-igoe-secsh-x509v3-00 Joseph Galbraith
- Re: draft-igoe-secsh-x509v3-00 Jeffrey Hutzelman
- Re: draft-igoe-secsh-x509v3-00 Nicolas Williams
- Re: draft-igoe-secsh-x509v3-00 Nicolas Williams
- Re: draft-igoe-secsh-x509v3-00 Jan Pechanec