On 9/19/22 20:57, Brian Candler wrote:
On the other hand, the spec at
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.19&content-type=text/x-cvsweb-markup says:
> As a special case, a zero-length "valid principals" field means the
certificate is valid for any principal of the specified type.
I cannot imagine any reasonable rationale for that.
I think the behaviour of sshd is sane and sensible. A
"super-certificate" which can impersonate any user (or any host[^2])
seems like a dangerous thing to me;
+1
In general a digital certificate is a signed statement by a CA saying:
"This public key belongs to this name/ID. Trust me!"
Thus if there's no name or ID in the certificate it's not a valid
certificate.
I wonder if the protocol documentation is out of step,
IMO yes.
Ciao, Michael.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
