1 files changed, 14 insertions, 7 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index aa6f5ae4c..42aa8c2a1 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@@ -192,12 +192,13 @@ compatibility.
 The reserved field is currently unused and is ignored in this version of
 the protocol.
-signature key contains the CA key used to sign the certificate.
+The signature key field contains the CA key used to sign the
-The valid key types for CA keys are ssh-rsa, ssh-dss and the ECDSA types
+certificate. The valid key types for CA keys are ssh-rsa,
-ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained"
+ssh-dss, ssh-ed25519 and the ECDSA types ecdsa-sha2-nistp256,
-certificates, where the signature key type is a certificate type itself
+ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained" certificates, where
-are NOT supported. Note that it is possible for a RSA certificate key to
+the signature key type is a certificate type itself are NOT supported.
-be signed by a DSS or ECDSA CA key and vice-versa.
+Note that it is possible for a RSA certificate key to be signed by a
+Ed25519 or ECDSA CA key and vice-versa.
 signature is computed over all preceding fields from the initial string
 up to, and including the signature key. Signatures are computed and
@@ -223,6 +224,9 @@ option-specific information (see below). All options are
 "critical", if an implementation does not recognise a option
 then the validating party should refuse to accept the certificate.
+Custom options should append the originating author or organisation's
+domain name to the option name, e.g. "my-option@example.com".
 No critical options are defined for host certificates at present. The
 supported user certificate options and the contents and structure of
 their data fields are:
@@ -254,6 +258,9 @@ as is the requirement that each name appear only once.
 If an implementation does not recognise an extension, then it should
 ignore it.
+Custom options should append the originating author or organisation's
+domain name to the option name, e.g. "my-option@example.com".
 No extensions are defined for host certificates at present. The
 supported user certificate extensions and the contents and structure of
 their data fields are:
@@ -284,4 +291,4 @@ permit-user-rc          empty         Flag indicating that execution of
                                      of this script will not be permitted if
                                      this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.10 2016/05/03 10:27:59 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.12 2017/05/31 04:29:44 djm Exp $

diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index aa6f5ae4c..42aa8c2a1 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys
@@ -192,12 +192,13 @@ compatibility.
192	The reserved field is currently unused and is ignored in this version of	192	The reserved field is currently unused and is ignored in this version of
193	the protocol.	193	the protocol.
194		194
195	signature key contains the CA key used to sign the certificate.	195	The signature key field contains the CA key used to sign the
196	The valid key types for CA keys are ssh-rsa, ssh-dss and the ECDSA types	196	certificate. The valid key types for CA keys are ssh-rsa,
197	ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained"	197	ssh-dss, ssh-ed25519 and the ECDSA types ecdsa-sha2-nistp256,
198	certificates, where the signature key type is a certificate type itself	198	ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained" certificates, where
199	are NOT supported. Note that it is possible for a RSA certificate key to	199	the signature key type is a certificate type itself are NOT supported.
200	be signed by a DSS or ECDSA CA key and vice-versa.	200	Note that it is possible for a RSA certificate key to be signed by a
		201	Ed25519 or ECDSA CA key and vice-versa.
201		202
202	signature is computed over all preceding fields from the initial string	203	signature is computed over all preceding fields from the initial string
203	up to, and including the signature key. Signatures are computed and	204	up to, and including the signature key. Signatures are computed and
@@ -223,6 +224,9 @@ option-specific information (see below). All options are
223	"critical", if an implementation does not recognise a option	224	"critical", if an implementation does not recognise a option
224	then the validating party should refuse to accept the certificate.	225	then the validating party should refuse to accept the certificate.
225		226
		227	Custom options should append the originating author or organisation's
		228	domain name to the option name, e.g. "my-option@example.com".
		229
226	No critical options are defined for host certificates at present. The	230	No critical options are defined for host certificates at present. The
227	supported user certificate options and the contents and structure of	231	supported user certificate options and the contents and structure of
228	their data fields are:	232	their data fields are:
@@ -254,6 +258,9 @@ as is the requirement that each name appear only once.
254	If an implementation does not recognise an extension, then it should	258	If an implementation does not recognise an extension, then it should
255	ignore it.	259	ignore it.
256		260
		261	Custom options should append the originating author or organisation's
		262	domain name to the option name, e.g. "my-option@example.com".
		263
257	No extensions are defined for host certificates at present. The	264	No extensions are defined for host certificates at present. The
258	supported user certificate extensions and the contents and structure of	265	supported user certificate extensions and the contents and structure of
259	their data fields are:	266	their data fields are:
@@ -284,4 +291,4 @@ permit-user-rc empty Flag indicating that execution of
284	of this script will not be permitted if	291	of this script will not be permitted if
285	this option is not present.	292	this option is not present.
286		293
287	$OpenBSD: PROTOCOL.certkeys,v 1.10 2016/05/03 10:27:59 djm Exp $	294	$OpenBSD: PROTOCOL.certkeys,v 1.12 2017/05/31 04:29:44 djm Exp $