X.509v3 Certificates for Secure Shell Authentication
RFC 6187

Note: This ballot was opened for revision 07 and is now closed.

(Russ Housley) (was Discuss) Yes

Comment (2010-11-28)
No email
send info
Section 1 says:
  > Digital certificates, such as those in X.509 version 3 (X.509v3)
  > format, ...
  Please add a reference.  [RFC5280] seems appropriate.

  Section 1 also says:
  > This document is concerned with SSH implementation details;
  > specification of the underlying cryptographic algorithms and the
  > handling and structure of X.509v3 certificates is left to other
  > standards documents.
  What documents does an implementer need to read?  Obviously, RFC 5280
  is needed.  Please list them as normative references.

(Alexey Melnikov) Yes

Comment (2010-11-24 for -)
No email
send info
A well written document, one question:

2.1.  Public Key Format

   For all of the public key algorithms specified in this document, the
   key format consists of a sequence of one or more X.509v3 certificates
   followed by a sequence of 0 or more Online Certificate Status
   Protocol (OCSP) responses as in Section 4.2 of [RFC2560].  Providing
   OCSP responses directly in this data structure can reduce the number
   of communication rounds required (saving the implementation from
   needing to perform OCSP checking out-of-band) and can also allow a
   client outside of a private network to receive OCSP responses from a
   server behind firewall.

This text almost make it sound as if OCSP data is optional to include.

(Sean Turner) Yes

(Jari Arkko) No Objection

(Ron Bonica) No Objection

(Stewart Bryant) No Objection

(Gonzalo Camarillo) No Objection

(Lars Eggert) No Objection

(Adrian Farrel) No Objection

(Tim Polk) (was Discuss) No Objection

(Peter Saint-Andre) (was Discuss) No Objection

(Robert Sparks) No Objection