[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options

bugzilla-daemon Sat, 17 Jun 2023 08:50:46 -0700

https://bugzilla.mindrot.org/show_bug.cgi?id=3577


xspielinbox+mind...@protonmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|CASignatureAlgorithms       |CASignatureAlgorithms
                   |supports -cert alogrithms   |supports -cert algorithms
                   |                            |when used alongside with
                   |                            |other options

--- Comment #1 from xspielinbox+mind...@protonmail.com ---
To clarify:
When only configuring one of the -cert algorithms with
CASignatureAlgorithms, one gets an error, that the configuration is
invalid, but when adding them alongside some other algorithm, they are
supported.

However, when signing a user certificate with an CA, ssh-keygen -L will
always list the non -cert (the "normal" variant so to speak) as the
algorithm behing "using" in the Signing CA. So e.g. for a ed25519 CA:
Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA
(using ssh-ed25519)
I would not know how to get something that would then have:
Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA
(using ssh-ed25519-cert)

As this algorithm in my understanding is the one

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options

Reply via email to