In case of multiple Hiba certs on server side which one should be used for hiba check

[rohit21187]

Hi Team,
Servers can have multiple hostkeys with different algorithms(rsa, ed25519,ecdsa etc). Similarly multiple server(host) certs for each algorithms can be imported to be used in host key validation.

In case of multiple certs on same host (assuming all have same hiba extensions) which algorithms should be priotised for client certificates hiba extension validation.

Should it be based on sshd_config which HostCertificate entry comes first.

(if all host certs have same extension using anyone should pass but if we have a documentation around it, that will be great)

[blunderer]

HIBA doesn't force any solution here, everything is configure by the host owner. The ability to attach the HIBA identity to the host certificate is for convenience (when distributing from a PKI that integrates with HIBA, it might save one file copy).

The hiba-chk commandline supports reading the identity from one location only (managing multiple sources of truth will often lead to convergence issues). This source of truth is manually selected in the SSHd config at setup time, when configuring the hiba-chk command line, not automatically linked to a host certificate at evaluation time.

When dealing with multiple host certificates, as I see it, you have 2 options:

1. pick one host certificate file/algorithm and treat it as the refernce. This one will get the HIBA identity attached.
2. store the HIBA identity as a separate file and load it directly, decorrelated from the host certificate altogether.

I hope this answers your questions. Feel free to reopen otherwise.