Hi, when signing a KRL with multiple keys, it's somewhat unclear if signed data includes prior signatures. My expectation would have been that signatures are created independent of each other, but that's not the case. For clarification, I'd like to suggest this patch to the documentation: diff --git a/PROTOCOL.krl b/PROTOCOL.krl index 115f80e5..bd0ffe6b 100644 --- a/PROTOCOL.krl +++ b/PROTOCOL.krl @@ -160,6 +160,7 @@ two string components instead of one. The signature is calculated over the entire KRL from the KRL_MAGIC to this subsection's "signature_key", including both and using the signature generation rules appropriate for the type of "signature_key". +Prior signature sections are part of the signed data as well. This section must appear last in the KRL. If multiple signature sections appear, they must appear consecutively at the end of the KRL file. n.b.: the code for creating signatures is implemented in ssh_krl_from_blob, but ssh-keygen doesn't make use of it. So I assume signed KRLs is a little used feature. Cheers Jörn Heissler
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
