- djm@cvs.openbsd.org 2010/04/16 01:47:26

[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] [sshconnect.c sshconnect2.c sshd.c] revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
author: Damien Miller <djm@mindrot.org> 2010-04-16 15:56:21 +1000
committer: Damien Miller <djm@mindrot.org> 2010-04-16 15:56:21 +1000
commit: 4e270b05dd9d850fb9e2e0ac43f33cb4090d3ebc (patch)
tree: 4fc84942b5966e9f38f18a1257ac43ddbed336be /ChangeLog
parent: 031c9100dfe3ee65a29084ebbd61965a76b3ad26 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index fd4ce5db2..b058de0f8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,27 @@
     retry lookup for private key if there's no matching key with CKA_SIGN
     attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736)
     ok djm@
+   - djm@cvs.openbsd.org 2010/04/16 01:47:26
+     [PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
+     [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
+     [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
+     [sshconnect.c sshconnect2.c sshd.c]
+     revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
+     following changes:
+     
+     move the nonce field to the beginning of the certificate where it can
+     better protect against chosen-prefix attacks on the signature hash
+     
+     Rename "constraints" field to "critical options"
+     
+     Add a new non-critical "extensions" field
+     
+     Add a serial number
+     
+     The older format is still support for authentication and cert generation
+     (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
+     
+     ok markus@
 20100410
 - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
author	Damien Miller <djm@mindrot.org>	2010-04-16 15:56:21 +1000
committer	Damien Miller <djm@mindrot.org>	2010-04-16 15:56:21 +1000
commit	4e270b05dd9d850fb9e2e0ac43f33cb4090d3ebc (patch)
tree	4fc84942b5966e9f38f18a1257ac43ddbed336be /ChangeLog
parent	031c9100dfe3ee65a29084ebbd61965a76b3ad26 (diff)

diff --git a/ChangeLog b/ChangeLog index fd4ce5db2..b058de0f8 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -41,6 +41,27 @@
41	retry lookup for private key if there's no matching key with CKA_SIGN	41	retry lookup for private key if there's no matching key with CKA_SIGN
42	attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736)	42	attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736)
43	ok djm@	43	ok djm@
		44	- djm@cvs.openbsd.org 2010/04/16 01:47:26
		45	[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
		46	[auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
		47	[ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
		48	[sshconnect.c sshconnect2.c sshd.c]
		49	revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
		50	following changes:
		51
		52	move the nonce field to the beginning of the certificate where it can
		53	better protect against chosen-prefix attacks on the signature hash
		54
		55	Rename "constraints" field to "critical options"
		56
		57	Add a new non-critical "extensions" field
		58
		59	Add a serial number
		60
		61	The older format is still support for authentication and cert generation
		62	(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
		63
		64	ok markus@
44		65
45	20100410	66	20100410
46	- (dtucker) [configure.ac] Put the check for the existence of getaddrinfo	67	- (dtucker) [configure.ac] Put the check for the existence of getaddrinfo