1 files changed, 17 insertions, 5 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 64cb18700..11363fdc3 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -25,6 +25,10 @@ raw user keys. The ssh client will support automatic verification of
 acceptance of certified host keys, by adding a similar ability to
 specify CA keys in ~/.ssh/known_hosts.
+All certificate types include certification information along with the
+public key that is used to sign challenges. In OpenSSH, ssh-keygen
+performs the CA signing operation.
 Certified keys are represented using new key types:
    ssh-rsa-cert-v01@openssh.com
@@ -33,9 +37,17 @@ Certified keys are represented using new key types:
    ecdsa-sha2-nistp384-cert-v01@openssh.com
    ecdsa-sha2-nistp521-cert-v01@openssh.com
-These include certification information along with the public key
+Two additional types exist for RSA certificates to force use of
-that is used to sign challenges. ssh-keygen performs the CA signing
+SHA-2 signatures (SHA-256 and SHA-512 respectively):
-operation.
+    rsa-sha2-256-cert-v01@openssh.com
+    rsa-sha2-512-cert-v01@openssh.com
+These RSA/SHA-2 types should not appear in keys at rest or transmitted
+on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
+field or in the "public key algorithm name" field of a "publickey"
+SSH_USERAUTH_REQUEST to indicate that the signature will use the
+specified algorithm.
 Protocol extensions
 -------------------
@@ -174,7 +186,7 @@ certificate. Each represents a time in seconds since 1970-01-01
    valid after <= current time < valid before
-criticial options is a set of zero or more key options encoded as
+critical options is a set of zero or more key options encoded as
 below. All such options are "critical" in the sense that an implementation
 must refuse to authorise a key that has an unrecognised option.
@@ -291,4 +303,4 @@ permit-user-rc          empty         Flag indicating that execution of
                                      of this script will not be permitted if
                                      this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.13 2017/11/03 02:32:19 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.15 2018/07/03 11:39:54 djm Exp $

diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 64cb18700..11363fdc3 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys
@@ -25,6 +25,10 @@ raw user keys. The ssh client will support automatic verification of
25	acceptance of certified host keys, by adding a similar ability to	25	acceptance of certified host keys, by adding a similar ability to
26	specify CA keys in ~/.ssh/known_hosts.	26	specify CA keys in ~/.ssh/known_hosts.
27		27
		28	All certificate types include certification information along with the
		29	public key that is used to sign challenges. In OpenSSH, ssh-keygen
		30	performs the CA signing operation.
		31
28	Certified keys are represented using new key types:	32	Certified keys are represented using new key types:
29		33
30	ssh-rsa-cert-v01@openssh.com	34	ssh-rsa-cert-v01@openssh.com
@@ -33,9 +37,17 @@ Certified keys are represented using new key types:
33	ecdsa-sha2-nistp384-cert-v01@openssh.com	37	ecdsa-sha2-nistp384-cert-v01@openssh.com
34	ecdsa-sha2-nistp521-cert-v01@openssh.com	38	ecdsa-sha2-nistp521-cert-v01@openssh.com
35		39
36	These include certification information along with the public key	40	Two additional types exist for RSA certificates to force use of
37	that is used to sign challenges. ssh-keygen performs the CA signing	41	SHA-2 signatures (SHA-256 and SHA-512 respectively):
38	operation.	42
		43	rsa-sha2-256-cert-v01@openssh.com
		44	rsa-sha2-512-cert-v01@openssh.com
		45
		46	These RSA/SHA-2 types should not appear in keys at rest or transmitted
		47	on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
		48	field or in the "public key algorithm name" field of a "publickey"
		49	SSH_USERAUTH_REQUEST to indicate that the signature will use the
		50	specified algorithm.
39		51
40	Protocol extensions	52	Protocol extensions
41	-------------------	53	-------------------
@@ -174,7 +186,7 @@ certificate. Each represents a time in seconds since 1970-01-01
174		186
175	valid after <= current time < valid before	187	valid after <= current time < valid before
176		188
177	criticial options is a set of zero or more key options encoded as	189	critical options is a set of zero or more key options encoded as
178	below. All such options are "critical" in the sense that an implementation	190	below. All such options are "critical" in the sense that an implementation
179	must refuse to authorise a key that has an unrecognised option.	191	must refuse to authorise a key that has an unrecognised option.
180		192
@@ -291,4 +303,4 @@ permit-user-rc empty Flag indicating that execution of
291	of this script will not be permitted if	303	of this script will not be permitted if
292	this option is not present.	304	this option is not present.
293		305
294	$OpenBSD: PROTOCOL.certkeys,v 1.13 2017/11/03 02:32:19 djm Exp $	306	$OpenBSD: PROTOCOL.certkeys,v 1.15 2018/07/03 11:39:54 djm Exp $