Bill Sommerfeld <[EMAIL PROTECTED]> writes: > There is "insert certificate here" text in the current set of drafts. When talking about this part of the draft, I would like to remind you of this quite annoying issue: : 4.6. Public Key Algorithms : : This protocol has been designed to be able to operate with almost any : public key format, encoding, and algorithm (signature and/or : encryption). : : There are several aspects that define a public key type: : : o Key format: how is the key encoded and how are certificates : represented. The key blobs in this protocol MAY contain certificates : in addition to keys. : : o Signature and/or encryption algorithms. Some key types may not : support both signing and encryption. Key usage may also be : restricted by policy statements in e.g. certificates. In this case, : different key types SHOULD be defined for the different policy : alternatives. : : o Encoding of signatures and/or encrypted data. This includes but is : not limited to padding, byte order, and data formats. (important) The way I want to read this, there is a unique mapping from key type to triples <key format, algorithm (including policy), signature format>. I.e. when I advertise a key type, I *know* which algorithms I have to support in order to live up to my advertising. However, that's not the case for the defined key types, : The following public key and/or certificate formats are currently : defined: : : ssh-dss REQUIRED sign Simple DSS : x509v3 RECOMMENDED sign X.509 certificates : spki OPTIONAL sign SPKI certificates : pgp OPTIONAL sign OpenPGP certificates Say that a server has a dss hostkey, that it can offer as either a ssh-dss key or as a x509 certificate chain. I'm running a client that supports x509 (but only the most common rsa-based certificates) and ssh-dss. If both programs lists x509 as their preferred public key algorithm, it will be chosen, but communication will fail, even though there is a ssh-dss hostkey that both parties can deal with. I don't know the right way to solve this. Perhaps one needs to define more keytypes, x509v3-dsa (implementation can deal with both rsa and dsa) and spki-rsa. Here, rsa is the usual algorithm for use with x509, while dsa is the usual one for spki. This is mostly a problem for hostkeys, where communication fails when the client can't deal with the hostkey. For user authentication, the client can just try another key or key type. /Niels
