summaryrefslogtreecommitdiff
path: root/PROTOCOL.krl
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-09-12 01:21:34 +0000
committerDamien Miller <djm@mindrot.org>2018-09-12 16:49:21 +1000
commit9405c6214f667be604a820c6823b27d0ea77937d (patch)
tree02a875b21e6a6f0d1432cc90ae515383b267b688 /PROTOCOL.krl
parent50e2687ee0941c0ea216d6ffea370ffd2c1f14b9 (diff)
upstream: allow key revocation by SHA256 hash and allow ssh-keygen
to create KRLs using SHA256/base64 key fingerprints; ok markus@ OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
Diffstat (limited to 'PROTOCOL.krl')
-rw-r--r--PROTOCOL.krl16
1 files changed, 9 insertions, 7 deletions
diff --git a/PROTOCOL.krl b/PROTOCOL.krl
index f319bad21..115f80e5d 100644
--- a/PROTOCOL.krl
+++ b/PROTOCOL.krl
@@ -36,6 +36,7 @@ The available section types are:
36#define KRL_SECTION_EXPLICIT_KEY 2 36#define KRL_SECTION_EXPLICIT_KEY 2
37#define KRL_SECTION_FINGERPRINT_SHA1 3 37#define KRL_SECTION_FINGERPRINT_SHA1 3
38#define KRL_SECTION_SIGNATURE 4 38#define KRL_SECTION_SIGNATURE 4
39#define KRL_SECTION_FINGERPRINT_SHA256 5
39 40
402. Certificate section 412. Certificate section
41 42
@@ -127,18 +128,19 @@ must be a raw key (i.e. not a certificate).
127 128
128This section may appear multiple times. 129This section may appear multiple times.
129 130
1304. SHA1 fingerprint sections 1314. SHA1/SHA256 fingerprint sections
131 132
132These sections, identified as KRL_SECTION_FINGERPRINT_SHA1, revoke 133These sections, identified as KRL_SECTION_FINGERPRINT_SHA1 and
133plain keys (i.e. not certificates) by listing their SHA1 hashes: 134KRL_SECTION_FINGERPRINT_SHA256, revoke plain keys (i.e. not
135certificates) by listing their hashes:
134 136
135 string public_key_hash[0] 137 string public_key_hash[0]
136 .... 138 ....
137 139
138This section must contain at least one "public_key_hash". The hash blob 140This section must contain at least one "public_key_hash". The hash blob
139is obtained by taking the SHA1 hash of the public key blob. Hashes in 141is obtained by taking the SHA1 or SHA256 hash of the public key blob.
140this section must appear in numeric order, treating each hash as a big- 142Hashes in this section must appear in numeric order, treating each hash
141endian integer. 143as a big-endian integer.
142 144
143This section may appear multiple times. 145This section may appear multiple times.
144 146
@@ -166,4 +168,4 @@ Implementations that retrieve KRLs over untrusted channels must verify
166signatures. Signature sections are optional for KRLs distributed by 168signatures. Signature sections are optional for KRLs distributed by
167trusted means. 169trusted means.
168 170
169$OpenBSD: PROTOCOL.krl,v 1.4 2018/04/10 00:10:49 djm Exp $ 171$OpenBSD: PROTOCOL.krl,v 1.5 2018/09/12 01:21:34 djm Exp $