1 files changed, 16 insertions, 4 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 65f11f538..11363fdc3 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -25,6 +25,10 @@ raw user keys. The ssh client will support automatic verification of
 acceptance of certified host keys, by adding a similar ability to
 specify CA keys in ~/.ssh/known_hosts.
+All certificate types include certification information along with the
+public key that is used to sign challenges. In OpenSSH, ssh-keygen
+performs the CA signing operation.
 Certified keys are represented using new key types:
    ssh-rsa-cert-v01@openssh.com
@@ -33,9 +37,17 @@ Certified keys are represented using new key types:
    ecdsa-sha2-nistp384-cert-v01@openssh.com
    ecdsa-sha2-nistp521-cert-v01@openssh.com
-These include certification information along with the public key
+Two additional types exist for RSA certificates to force use of
-that is used to sign challenges. ssh-keygen performs the CA signing
+SHA-2 signatures (SHA-256 and SHA-512 respectively):
-operation.
+    rsa-sha2-256-cert-v01@openssh.com
+    rsa-sha2-512-cert-v01@openssh.com
+These RSA/SHA-2 types should not appear in keys at rest or transmitted
+on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
+field or in the "public key algorithm name" field of a "publickey"
+SSH_USERAUTH_REQUEST to indicate that the signature will use the
+specified algorithm.
 Protocol extensions
 -------------------
@@ -291,4 +303,4 @@ permit-user-rc          empty         Flag indicating that execution of
                                      of this script will not be permitted if
                                      this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.14 2018/04/10 00:10:49 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.15 2018/07/03 11:39:54 djm Exp $

diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 65f11f538..11363fdc3 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys
@@ -25,6 +25,10 @@ raw user keys. The ssh client will support automatic verification of
25	acceptance of certified host keys, by adding a similar ability to	25	acceptance of certified host keys, by adding a similar ability to
26	specify CA keys in ~/.ssh/known_hosts.	26	specify CA keys in ~/.ssh/known_hosts.
27		27
		28	All certificate types include certification information along with the
		29	public key that is used to sign challenges. In OpenSSH, ssh-keygen
		30	performs the CA signing operation.
		31
28	Certified keys are represented using new key types:	32	Certified keys are represented using new key types:
29		33
30	ssh-rsa-cert-v01@openssh.com	34	ssh-rsa-cert-v01@openssh.com
@@ -33,9 +37,17 @@ Certified keys are represented using new key types:
33	ecdsa-sha2-nistp384-cert-v01@openssh.com	37	ecdsa-sha2-nistp384-cert-v01@openssh.com
34	ecdsa-sha2-nistp521-cert-v01@openssh.com	38	ecdsa-sha2-nistp521-cert-v01@openssh.com
35		39
36	These include certification information along with the public key	40	Two additional types exist for RSA certificates to force use of
37	that is used to sign challenges. ssh-keygen performs the CA signing	41	SHA-2 signatures (SHA-256 and SHA-512 respectively):
38	operation.	42
		43	rsa-sha2-256-cert-v01@openssh.com
		44	rsa-sha2-512-cert-v01@openssh.com
		45
		46	These RSA/SHA-2 types should not appear in keys at rest or transmitted
		47	on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
		48	field or in the "public key algorithm name" field of a "publickey"
		49	SSH_USERAUTH_REQUEST to indicate that the signature will use the
		50	specified algorithm.
39		51
40	Protocol extensions	52	Protocol extensions
41	-------------------	53	-------------------
@@ -291,4 +303,4 @@ permit-user-rc empty Flag indicating that execution of
291	of this script will not be permitted if	303	of this script will not be permitted if
292	this option is not present.	304	this option is not present.
293		305
294	$OpenBSD: PROTOCOL.certkeys,v 1.14 2018/04/10 00:10:49 djm Exp $	306	$OpenBSD: PROTOCOL.certkeys,v 1.15 2018/07/03 11:39:54 djm Exp $