> There is one more thing I'd like to add to the requirements list: When
> doing authentication with spki keys, it's not necessary to transmit
> the public key as part of the protocol. It is enough to send the hash
> of the corresponding sexp.
But sometimes it is necessary to have the whole publickey with certificates,
since privilege delegation cannot be done otherwise. Suppose you have an
SPKI acl giving permission for an individual to log in, and also to delegate
this privilege. The one who received this privilege has to send the whole
SPKI sequence, having the certificate of the original individual.
> > Currently, as a publickey authentication request is received, the ssh2
> > keyblob (coming in the auth request) is converted to an SPKI S-expression,
> > the canonical form of this S-expression is hashed, and the value of the
> > hash is taken as a filename and checked for in the ~/lsh/authorization
> > directory. This scheme is not general enough to support several publickey
> > methods (e.g. real SPKI, OpenPGP, and SSH2)
>
> I think hashing, in some way or another, is necessary. One way to
> arrange things is to have one directory where we store public keys (or
> possibly symlinks to keys), with a name derived from the key hash. One
> advantage of using an extra symlink indirection is that we could store
> the keys in one directory, using user-selected names, and then have a tool
> to hash them and populate the link farm.
I like this idea.
> > The authorization database would look like:
> > ~/.lsh/authorization/ssh-dss - for ssh-dss public keys, in ssh keyblob
>format
>
> Which format does Datafellows ssh2 use? ssh1 uses an simple text
> format for public keys. If we want to make usage with Datafellows ssh
> easier, we should use the same format as .ssh/identity.pub, which is
> probably not the keyblobformat.
ssh2 uses a text file 'identification' which may refer to keyfiles.
PS: I'll try to be a bit more constructive tomorrow, but I got to get some
sleep now. :)
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt
