diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-09-12 01:21:34 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-09-12 16:49:21 +1000 |
commit | 9405c6214f667be604a820c6823b27d0ea77937d (patch) | |
tree | 02a875b21e6a6f0d1432cc90ae515383b267b688 /PROTOCOL.krl | |
parent | 50e2687ee0941c0ea216d6ffea370ffd2c1f14b9 (diff) |
upstream: allow key revocation by SHA256 hash and allow ssh-keygen
to create KRLs using SHA256/base64 key fingerprints; ok markus@
OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
Diffstat (limited to 'PROTOCOL.krl')
-rw-r--r-- | PROTOCOL.krl | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/PROTOCOL.krl b/PROTOCOL.krl index f319bad2..115f80e5 100644 --- a/PROTOCOL.krl +++ b/PROTOCOL.krl @@ -36,6 +36,7 @@ The available section types are: #define KRL_SECTION_EXPLICIT_KEY 2 #define KRL_SECTION_FINGERPRINT_SHA1 3 #define KRL_SECTION_SIGNATURE 4 +#define KRL_SECTION_FINGERPRINT_SHA256 5 2. Certificate section @@ -127,18 +128,19 @@ must be a raw key (i.e. not a certificate). This section may appear multiple times. -4. SHA1 fingerprint sections +4. SHA1/SHA256 fingerprint sections -These sections, identified as KRL_SECTION_FINGERPRINT_SHA1, revoke -plain keys (i.e. not certificates) by listing their SHA1 hashes: +These sections, identified as KRL_SECTION_FINGERPRINT_SHA1 and +KRL_SECTION_FINGERPRINT_SHA256, revoke plain keys (i.e. not +certificates) by listing their hashes: string public_key_hash[0] .... This section must contain at least one "public_key_hash". The hash blob -is obtained by taking the SHA1 hash of the public key blob. Hashes in -this section must appear in numeric order, treating each hash as a big- -endian integer. +is obtained by taking the SHA1 or SHA256 hash of the public key blob. +Hashes in this section must appear in numeric order, treating each hash +as a big-endian integer. This section may appear multiple times. @@ -166,4 +168,4 @@ Implementations that retrieve KRLs over untrusted channels must verify signatures. Signature sections are optional for KRLs distributed by trusted means. -$OpenBSD: PROTOCOL.krl,v 1.4 2018/04/10 00:10:49 djm Exp $ +$OpenBSD: PROTOCOL.krl,v 1.5 2018/09/12 01:21:34 djm Exp $ |