X.509v3 Certificates for Secure Shell Authentication
Note: This ballot was opened for revision 07 and is now closed.
(Russ Housley) (was Discuss) Yes
Section 1 says: > > Digital certificates, such as those in X.509 version 3 (X.509v3) > format, ... > Please add a reference. [RFC5280] seems appropriate. Section 1 also says: > > This document is concerned with SSH implementation details; > specification of the underlying cryptographic algorithms and the > handling and structure of X.509v3 certificates is left to other > standards documents. > What documents does an implementer need to read? Obviously, RFC 5280 is needed. Please list them as normative references.
(Alexey Melnikov) Yes
Comment (2010-11-24 for -)
A well written document, one question: 2.1. Public Key Format For all of the public key algorithms specified in this document, the key format consists of a sequence of one or more X.509v3 certificates followed by a sequence of 0 or more Online Certificate Status Protocol (OCSP) responses as in Section 4.2 of [RFC2560]. Providing OCSP responses directly in this data structure can reduce the number of communication rounds required (saving the implementation from needing to perform OCSP checking out-of-band) and can also allow a client outside of a private network to receive OCSP responses from a server behind firewall. This text almost make it sound as if OCSP data is optional to include.