P6R's Secure Shell Public Key Subsystem
RFC 7076
Document Type RFC - Informational (November 2013; No errata)
Last updated 2018-12-20
Replaces draft-joseph-pkix-sshextension
Stream ISE
Formats plain text html pdf htmlized bibtex
IETF conflict review conflict-review-joseph-pkix-p6rsshextension
Stream ISE state Published RFC
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 7076 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Email authors IPR References Referenced by Nits 
Independent Submission                                         M. Joseph
Request for Comments: 7076                                      J. Susoy
Category: Informational                                         P6R, Inc
ISSN: 2070-1721                                            November 2013

                P6R's Secure Shell Public Key Subsystem

Abstract

   The Secure Shell (SSH) Public Key Subsystem protocol defines a key
   distribution protocol that is limited to provisioning an SSH server
   with a user's public keys.  This document describes a new protocol
   that builds on the protocol defined in RFC 4819 to allow the
   provisioning of keys and certificates to a server using the SSH
   transport.

   The new protocol allows the calling client to organize keys and
   certificates in different namespaces on a server.  These namespaces
   can be used by the server to allow a client to configure any
   application running on the server (e.g., SSH, Key Management
   Interoperability Protocol (KMIP), Simple Network Management Protocol
   (SNMP)).

   The new protocol provides a server-independent mechanism for clients
   to add public keys, remove public keys, add certificates, remove
   certificates, and list the current set of keys and certificates known
   by the server by namespace (e.g., list all public keys in the SSH
   namespace).

   Rights to manage keys and certificates in a particular namespace are
   specific and limited to the authorized user and are defined as part
   of the server's implementation.  The described protocol is backward
   compatible to version 2 defined by RFC 4819.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

Joseph & Susoy                Informational                     [Page 1]
RFC 7076         P6R's Secure Shell Public Key Subsystem   November 2013

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7076.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1. Introduction ....................................................3
   2. Terminology .....................................................3
   3. Overview of Extensions to the Public Key Subsystem ..............3
      3.1. Extended Status Codes ......................................4
      3.2. The Version Packet .........................................4
      3.3. The Namespace Attribute ....................................4
   4. New Operations ..................................................5
      4.1. Adding a Certificate .......................................5
      4.2. Removing a Certificate .....................................6
      4.3. Listing Certificates .......................................6
      4.4. Listing Namespaces .........................................7
   5. Extending Public Key Operations .................................8
      5.1. Adding a Public Key ........................................8
      5.2. Removing a Public Key ......................................8
      5.3. Listing Public Keys ........................................9
   6. Security Considerations .........................................9
   7. IANA Considerations ............................................10
   8. References .....................................................10
      8.1. Normative References ......................................10
      8.2. Informative References ....................................10

Joseph & Susoy                Informational                     [Page 2]
RFC 7076         P6R's Secure Shell Public Key Subsystem   November 2013

1.  Introduction

   This document describes a new protocol that builds on the protocol
   defined in RFC 4819 that can be used to configure public keys and
   certificates in an implementation-independent fashion.  The concept
   of a namespace is added to the protocol's operations; it allows the
   client to organize keys and certificates by application or
   organizational structure.

   P6R's Secure Shell Public Key Subsystem has been designed to run on
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools