Jacob Nevins <jacobn+secsh at chiark.greenend.org.uk> writes:
> Convenient characters other than hyphen for delimiting/separation appear
> to be the other "unreserved" URI characters -- "." / "_" / "~". (All of
> these are valid in host key algorithm names.)
Hmm. The draft says
fingerprint format is
[RFC4716]. For use in a URI, the fingerprint shall use a single
dash "-" as a separator instead of the colon ":" as described in
[RFC4716].
If we can't use the separator specified in RFC4716, maybe its simpler
to just drop the separator rather than replace it? I.e.,
ssh://user;fingerprint=ssh-dss-c1b13029d7b8de6c977710d746416387 at host.example.com
or
ssh://user at host.example.com?fingerprint=ssh-dss-c1b13029d7b8de6c977710d746416387
That would eliminate the syntactic ambiguity: whatever comes after the
last dash is the actual fingerprint, and whatever comes before is the
host key algorithm. Maybe not so human-friendly, though. But it should
work fine with . as fingerprint separator too.
One could also do it like
ssh://user at host.example.com?hostkey-alg=ssh-dss&fingerprint=c1-b1-30-29-d7-b8-de-6c-97-77-10-d7-46-41-63-87
but to support multiple fingerprints would would need to make the
ordering of parameters significant. I think it makes sense to reuse
the URI-way of separating different items, although I haven't thought
deeply about the issues.
Regardss,
/Niels
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.