Hi
On Wed, Jan 17, 2018 at 3:53 AM, Steffan Karger <steffan.kar...@fox-it.com>
wrote:
> Hi,
>
> On 17-01-18 05:24, Selva Nair wrote:
> > Also I'm toying with the idea of renaming ecdsa-sig/ECDSA-SIGN by
> > pkey-sig/PKEY-SIGN so that eventually we may be able to use it for
> > all types of keys and retire rsa-sig. Any thoughts on that?
>
> This was my first though when looking at these patches. Haven't looked
> at the code yet, but functionally I think that's the way to go. Even if
> it were that Ed25519 / Ed448 sigs are technically not ECDSA sigs.
>
I was waiting for the chatlog before finalizing v2. Looks like there are a
number of opinions
that seem to converge towards the same view.
This is what I have in my current v2 ready to go out:
(i) Current behaviour for rsa signatures stays for now: daemon sends
>RSA_SIGN client responds
with rsa-sig
(ii) Daemon sends >PK_SIG client responds with pk-sig [*]
Initially this will be used only for EC, but trivial to switch RSA to this
in future.
So document that new mgmt clients should be prepared to handle all supported
key types via >PK_SIGN/pk-sig and >RSA_SIGN will be eventually removed.
As a nice side effect, clients are allowed to respond with pk-sig even if
the challenge was
>RSA_SIGN. As a not so nice side effect, the daemon will reply with
"SUCCESS rsa-sign
succeeded" because that's what it asked for -- I suppose we can live with
that.
We can deprecate and remove >RSA_SIGN at a later date by a hard switch when
all known clients are capable of handling >PK_SIGN
Does this sound like an acceptable solution?
Question: while at it should we alter the syntax to
>PK_SIGN,xxx,<base64>
where xxx will be empty for now, but it reserves space for extra info that
may come handy for some future signature types (like use PSS padding for
RSA or use PureEdDSA or whatever).
Thanks,
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
