summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2012-04-22 11:08:30 +1000
committerDamien Miller <djm@mindrot.org>2012-04-22 11:08:30 +1000
commit48348fc3b4455df8112d4e1b6de5b4f0779be875 (patch)
treea8b918019d6ee2ddc0e1028213ae92f44dff6351
parent29cd1888873d453f28609d8b301062cbaa4ab4d8 (diff)
- djm@cvs.openbsd.org 2012/03/28 07:23:22
[PROTOCOL.certkeys] explain certificate extensions/crit split rationale. Mention requirement that each appear at most once per cert.
-rw-r--r--ChangeLog4
-rw-r--r--PROTOCOL.certkeys15
2 files changed, 16 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 5e621928..f89e1b17 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,10 @@
of having it always enforced even when marked as ignorenologin. This
regressed when the logic was incompletely flipped around in rev 1.251
ok halex@ millert@
+ - djm@cvs.openbsd.org 2012/03/28 07:23:22
+ [PROTOCOL.certkeys]
+ explain certificate extensions/crit split rationale. Mention requirement
+ that each appear at most once per cert.
20120420
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 2f976498..c9859109 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -162,6 +162,13 @@ extensions is a set of zero or more optional extensions. These extensions
are not critical, and an implementation that encounters one that it does
not recognise may safely ignore it.
+Generally, critical options are used to control features that restrict
+access where extensions are used to enable features that grant access.
+This ensures that certificates containing unknown restrictions do not
+inadvertently grant access while allowing new protocol features to be
+enabled via extensions without breaking certificates' backwards
+compatibility.
+
The reserved field is currently unused and is ignored in this version of
the protocol.
@@ -189,7 +196,7 @@ is a sequence of zero or more tuples:
string data
Options must be lexically ordered by "name" if they appear in the
-sequence.
+sequence. Each named option may only appear once in a certificate.
The name field identifies the option and the data field encodes
option-specific information (see below). All options are
@@ -220,7 +227,9 @@ Extensions
The extensions section of the certificate specifies zero or more
non-critical certificate extensions. The encoding and ordering of
-extensions in this field is identical to that of the critical options.
+extensions in this field is identical to that of the critical options,
+as is the requirement that each name appear only once.
+
If an implementation does not recognise an extension, then it should
ignore it.
@@ -253,4 +262,4 @@ permit-user-rc empty Flag indicating that execution of
of this script will not be permitted if
this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.8 2010/08/31 11:54:45 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $