Announce: X.509 certificates support in OpenSSH version 5.4

Hi All,

The version 5.4 of "X.509 certificates support in OpenSSH" is ready for download.
On download page http://roumenpetrov.info.localhost/o....html#get_-5.4
you can found diffs for OpenSSH versions 4.2p1 and 4.3p2.


What's new:
* given up support for "x509v3-sign-rsa-sha1" and "x509v3-sign-dss-sha1"
The implementation realised in previous version 5.3 is not fully in conformance
with "draft-ietf-secsh-x509-02.txt"

* correct nid for OCSP responder location
All version before 5.4 search for nid "id-pkix-ocsp-service-locator"
instead for correct one "id-ad-ocsp" to find location of OCSP responder.

* public key permit X.509 certificate for authentication
Now the public key listed in authorized keys file permit too a X.509 certificate
with public key that match it to be used in "public key authentication".

* client option "PubkeyAlgorithms"
This new clent option specifies the protocol version 2 algorithms used in
"publickey" authentication allowed to sent to the host.

* server option "KeyAllowSelfIssued"
This new server option specifies whether only public key or certificate blob
listed in authorized keys file can allow self-issued(self-signed) X.509
certificate to be used for user authentication.


Please visit "http://roumenpetrov.info/openssh/" for more information
about "X.509 certificates support in OpenSSH".


Regards,
Roumen Petrov



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev