[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Suggestion for New Certificate Type: CKC_OPENSSH_CERT
Dear PKCS11 TC,
as some of you may be aware, in 2010, the maintainers of openssh defined a protocol extension to the SSH protocol to allow the use of a (single tier) CA for authentication keys.
The format is described in more detail here
They describe the background as follows:
The SSH protocol currently supports a simple public key authentication The specification is now 10 years old and pretty stable. These certificates are in use in variety of enterprise environments.
Personally, I currently store my certificate on a token as a generic data object and built some scripts around it to automatically put it in the right places at the beginning of a ssh session. However, I do think it would make sense to consider extending
PKCS11 to make openssh certificates first class members of PKCS11 in some future release.
Therefore, my suggestion would be to extend the allowed values for CKA_CERTIFICATE_TYPE to include a newly defined value CKC_OPENSSH_CERT (which could be 3UL)
Allowed attributes could be in addition to the base certificate attributes, to keep it as similar to existing uses:
CKA_ISSUER | Byte array | DER-encoding of the certificate issuer name (default empty)
CKA_SERIAL_NUMBER | Byte array | DER-encoding of the certificate serial number (default empty)
CKA_VALUE | Byte array | the native binary openssh certificate blob as it would be contained in the base64 blob within an id_rsa-cert.pub file
CKA_HASH_OF_SUBJECT_PUBLIC_KEY
CKA_HASH_OF_ISSUER_PUBLIC_KEY
CKA_NAME_HASH_ALGORITHM
And newly defined attributes based on the certificate type itself, maybe CKA_PRINCIPALS, which are to some extent similar to CKA_ATTR_TYPES of X.509 attribute certificates.
(Note: openssh currently already allows the use of PKCS11, however it only uses public keys, or uses the subject of an x.509 certificate as a key comment, instead of some fuller certificate support)
Best regards,
Jó
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]