From beec17bb311365b75a0a5941418d4b96df7d7888 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 17 Jul 2023 04:01:10 +0000 Subject: upstream: remove vestigal support for KRL signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. Now, some years later, we have SSHSIG support in ssh-keygen that is more general, well tested and actually works. So this removes the semi-finished KRL signing/verification support from OpenSSH and refactors the remaining code to realise the benefit - primarily, we no longer need to perform multiple parsing passes over KRL objects. ok markus@ OpenBSD-Commit-ID: 517437bab3d8180f695c775410c052340e038804 --- PROTOCOL.krl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'PROTOCOL.krl') diff --git a/PROTOCOL.krl b/PROTOCOL.krl index f4213156e..1b59c76be 100644 --- a/PROTOCOL.krl +++ b/PROTOCOL.krl @@ -193,6 +193,10 @@ The "extension_contents" contains the body of the extension. 6. KRL signature sections +Note: KRL signatures are not supported by OpenSSH. OpenSSH >= 9.4 will +refuse to load KRLs that contain signatures. We recommend the use +of SSHSIG (`ssh-keygen -Y sign ...`) style signatures for KRLs instead. + The KRL_SECTION_SIGNATURE section serves a different purpose to the preceding ones: to provide cryptographic authentication of a KRL that is retrieved over a channel that does not provide integrity protection. @@ -215,4 +219,4 @@ Implementations that retrieve KRLs over untrusted channels must verify signatures. Signature sections are optional for KRLs distributed by trusted means. -$OpenBSD: PROTOCOL.krl,v 1.6 2023/07/17 03:57:21 djm Exp $ +$OpenBSD: PROTOCOL.krl,v 1.7 2023/07/17 04:01:10 djm Exp $ -- cgit v1.2.3