diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-01-30 01:10:33 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-01-30 12:17:07 +1100 |
commit | 669aee994348468af8b4b2ebd29b602cf2860b22 (patch) | |
tree | 47acfa09dd5b13cbab745b70c5cf2b7de3777f5a /PROTOCOL.krl | |
parent | 7a2c368477e26575d0866247d3313da4256cb2b5 (diff) |
upstream commit
permit KRLs that revoke certificates by serial number or
key ID without scoping to a particular CA; ok markus@
Diffstat (limited to 'PROTOCOL.krl')
-rw-r--r-- | PROTOCOL.krl | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/PROTOCOL.krl b/PROTOCOL.krl index e8caa452..b9695107 100644 --- a/PROTOCOL.krl +++ b/PROTOCOL.krl @@ -37,7 +37,7 @@ The available section types are: #define KRL_SECTION_FINGERPRINT_SHA1 3 #define KRL_SECTION_SIGNATURE 4 -3. Certificate serial section +2. Certificate section These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by serial number or key ID. The consist of the CA key that issued the @@ -47,6 +47,11 @@ ignored. string ca_key string reserved +Where "ca_key" is the standard SSH wire serialisation of the CA's +public key. Alternately, "ca_key" may be an empty string to indicate +the certificate section applies to all CAs (this is most useful when +revoking key IDs). + Followed by one or more sections: byte cert_section_type @@ -161,4 +166,4 @@ Implementations that retrieve KRLs over untrusted channels must verify signatures. Signature sections are optional for KRLs distributed by trusted means. -$OpenBSD: PROTOCOL.krl,v 1.2 2013/01/18 00:24:58 djm Exp $ +$OpenBSD: PROTOCOL.krl,v 1.3 2015/01/30 01:10:33 djm Exp $ |