X.509 and ssh - Page 4

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: X.509 and ssh

Latest draft is draft-ietf-secsh-x509-02.txt.

Also note that Peter Gutmann is against X.509 support in secure shells
- mail archive on secsh working group clearly show this.

Re: X.509 and ssh

    JKV> Hi,

    JKV> What is the current status of X.509 support in SSH? I know there
    JKV> is support for X.509 under the form of a patch
    JKV> (http://roumenpetrov.info/openssh ). But as far as I know it's not
    JKV> supported by clients such as PuTTY.

    >> It is best supported in commercial products, such as Tectia
    >> (ssh.com) and VShell (vandyke.com).

    PG> It should be mentioned that since the required formats were never
    PG> properly specified in any standards, what's implemented is
    PG> vendor-specific and nonstandard.  The only way that something like
    PG> Putty could support whatever it is that the ssh.com and VanDyke
    PG> implementations do is by reverse-engineering the applications.

That's not quite true.  Although X.509 is not part of the final SSH-TRANS
RFC, X.509 key types were defined in earlier drafts (as you note later in
this thread).  Both Tectia and VShell use those key types (x509v3-sign-rsa
and x509v3-sign-dsa) as specified in that draft, so I don't believe there
is any need to reverse engineer anything.  If you think there is, please

It is true that, since these types are no longer part of the spec, they
should technically be qualified in use now (e.g. x509v3-sign-rsa@ssh.com).

  Richard Silverman

Re: X.509 and ssh

Quoted text here. Click to load it

The formats were so poorly specified that it wasn't possible to create an
interoperable implementation from them.  In fact, no-one seemed to be able to
agree on what the formats should really be, probably due at least to some
extent to the fact that everyone was interpreting the spec differently.  The
rather bizarre comment from a previous poster in this thread that I'm "against
X.509" probably comes from the fact that I pointed out that the spec as it
existed at the time was unimplementable, meaning that the text would either
have to be clarified or removed.  Since no-one was interested in clarifying
it, it was removed.  What's left is an expired draft (see
http://datatracker.ietf.org/public/idindex.cgi?command=id_detail&id=13023 )
covering this.

Presumably what's in this expired draft is what Tectia and VShell do (since
one of the authors is from VanDyke and the other from F-Secure), however at
the time the format was still specified in SSH-TRANS the text was so unclear
that the only way to implement it was either (1) get really lucky in guessing
what the text was supposed to mean or (2) reverse-engineer Tectia or VShell's
handshake to see what they did.


Re: X.509 and ssh

Definitely reverse engineering is not necessary to be
compatible/interoperable !

Site Timeline