https://bugzilla.mindrot.org/show_bug.cgi?id=3157
--- Comment #2 from Paul Kapp <[email protected]> --- It is different, but not quite correct either, IMO. The CA key type listed as the @cert-authority entry could be used to sign any key type. If a @cert-authority is applicable from known_hosts, the client should include all the available certificate types in the list offered to the server, since the client is prepared to trust any of the certificate types SignedBy the CA, and has no way to predict which type(s) may be available on the server. Ordering of the list is probably suitable, moving some certificate types to the head of the list, based on other plain key types matched in known_hosts, as the fallback to plain keys logic may still be used. However, the full list (as appears in HostKeyAlgorithms) ought to be represented. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
