upstream commit

permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA; ok markus@
author: djm@openbsd.org <djm@openbsd.org> 2015-01-30 01:10:33 +0000
committer: Damien Miller <djm@mindrot.org> 2015-01-30 12:17:07 +1100
commit: 669aee994348468af8b4b2ebd29b602cf2860b22 (patch)
tree: 47acfa09dd5b13cbab745b70c5cf2b7de3777f5a /PROTOCOL.krl
parent: 7a2c368477e26575d0866247d3313da4256cb2b5 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/PROTOCOL.krl b/PROTOCOL.krl
index e8caa4527..b9695107b 100644
--- a/PROTOCOL.krl
+++ b/PROTOCOL.krl
@@ -37,7 +37,7 @@ The available section types are:
 #define KRL_SECTION_FINGERPRINT_SHA1            3
 #define KRL_SECTION_SIGNATURE                   4
-3. Certificate serial section
+2. Certificate section
 These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by
 serial number or key ID. The consist of the CA key that issued the
@@ -47,6 +47,11 @@ ignored.
        string ca_key
        string reserved
+Where "ca_key" is the standard SSH wire serialisation of the CA's
+public key. Alternately, "ca_key" may be an empty string to indicate
+the certificate section applies to all CAs (this is most useful when
+revoking key IDs).
 Followed by one or more sections:
        byte    cert_section_type
@@ -161,4 +166,4 @@ Implementations that retrieve KRLs over untrusted channels must verify
 signatures. Signature sections are optional for KRLs distributed by
 trusted means.
-$OpenBSD: PROTOCOL.krl,v 1.2 2013/01/18 00:24:58 djm Exp $
+$OpenBSD: PROTOCOL.krl,v 1.3 2015/01/30 01:10:33 djm Exp $
author	djm@openbsd.org <djm@openbsd.org>	2015-01-30 01:10:33 +0000
committer	Damien Miller <djm@mindrot.org>	2015-01-30 12:17:07 +1100
commit	669aee994348468af8b4b2ebd29b602cf2860b22 (patch)
tree	47acfa09dd5b13cbab745b70c5cf2b7de3777f5a /PROTOCOL.krl
parent	7a2c368477e26575d0866247d3313da4256cb2b5 (diff)