diff options
author | Ian Jackson <ijackson@chiark.greenend.org.uk> | 2023-11-14 22:13:13 +0000 |
---|---|---|
committer | Ian Jackson <ijackson@chiark.greenend.org.uk> | 2023-11-14 22:27:13 +0000 |
commit | 88cfaaa89cdf06819d2d0264f5d53fa465839a50 (patch) | |
tree | 7f1642ffc3050418a1d51e43bdd51043c814e8d7 /spec/ssh-protocols.md | |
parent | bbb78411d39bd5e37e0e2a70dd1ff9001f427f74 (diff) | |
download | torspec-88cfaaa89cdf06819d2d0264f5d53fa465839a50.tar.gz torspec-88cfaaa89cdf06819d2d0264f5d53fa465839a50.zip |
ssh-protocols: ed25519-expanded: Decide where this can occur
As per irc conversation.
Diffstat (limited to 'spec/ssh-protocols.md')
-rw-r--r-- | spec/ssh-protocols.md | 47 |
1 files changed, 39 insertions, 8 deletions
diff --git a/spec/ssh-protocols.md b/spec/ssh-protocols.md index 882611d..689eea2 100644 --- a/spec/ssh-protocols.md +++ b/spec/ssh-protocols.md @@ -139,15 +139,46 @@ These refer to the expanded form of private keys for ed25519 ([RFC8032](https://datatracker.ietf.org/doc/html/rfc8032)). -This type is not used in RFC4716 public key files: -the `ed25519` SSH public key algorithm -is used for the public half of -`ed25519-expanded@spec.torproject.org` private keys. -However, -the +This key type appears within OpenSSH private key files. +When it does, the `ed25519-expanded@spec.torproject.org` +algorithm name is used for +the private key (`PROTOCOL.key` section 3, `privatekey1` etc.) +but also for +the public key (`PROTOCOL.key` section 1, `publickey1` etc.). + +> In `PROTOCOL.key` we interpret the requirement that there be +> "matching" public and private keys +> to include the requirement that +> the public key algorithm name strings must be the same. + +> In the Arti keystore a private key file +> whose filename ends with `ed25519_private.key` +> may contain either +> a standard ed25519 keypair with SSH type `ed25519` +> or +> an `ed25519-expanded@spec.torproject.org` keypair. + `ed25519-expanded@spec.torproject.org` -type *is* used in OpenSSH private key files, -for the *public* keys matching such private keys. +SHOULD NOT appear in RFC4716 *public* key files. +Software which is aware of this key type +MUST NOT generate such public key files +and SHOULD reject them on loading. +(Software handling keys in a type-agnostic manner +MAY, and probably will, process such files without complaint.) + +> These rules are because +> public keys should always be advertised as `ed25519` +> even if the private key is only available as `ed25519-expanded@`: +> this avoids leaking information about the key generation process +> to relying parties, +> and simplifies certification and verification. + +> Arti will provide a utility to convert +> anomalous RFC4716 public key files +> containing keys declared to be of type +> `ed25519-expanded@spec.torproject.org` +> to fully conforming files containg `ed25519` keys. +> In other circumstances Arti will reject such anomalous files. The public key data is `ENC(A)` ([RFC8032 3.2](https://datatracker.ietf.org/doc/html/rfc8032#section-3.2)). |