P6R's Secure Shell Public Key Subsystem

The Secure Shell (SSH) Public Key Subsystem protocol defines a keydistribution protocol that is limited to provisioning an SSH serverwith a user's public keys. This document describes a new protocolthat builds on the protocol defined in RFC 4819 to allow theprovisioning of keys and certificates to a server using the SSHtransport. The new protocol allows the calling client to organizekeys and certificates in different namespaces on a server. Thesenamespaces can be used by the server to allow a client to configureany application running on the server (e.g., SSH, Key ManagementInteroperability Protocol (KMIP), Simple Network Management Protocol(SNMP)). The new protocol provides a server-independent mechanism forclients to add public keys, remove public keys, add certificates,remove certificates, and list the current set of keys and certificatesknown by the server by namespace (e.g., list all public keys in theSSH namespace). Rights to manage keys and certificates in aparticular namespace are specific and limited to the authorized userand are defined as part of the server's implementation. Thedescribed protocol is backward compatible to version 2 defined by RFC4819.