[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Feedback from uri list

From: nisse at lysator.liu.se (Niels Möller)
To: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Cc: <ietf-ssh at netbsd.org>
Date: Tue, 13 Oct 2009 15:26:39 +0200
In-reply-to: <AC1CFD94F59A264488DC2BEC3E890DE508E89E3D at xmb-sjc-225.amer.cisco.com> (Joseph Salowey's message of "Mon, 12 Oct 2009 21:05:52 -0700")
References: <20091009203714.GA18094 at braingia.org> <20091011205317.GD16377 at chiark.greenend.org.uk> <AC1CFD94F59A264488DC2BEC3E890DE508E89E3D at xmb-sjc-225.amer.cisco.com>

"Joseph Salowey (jsalowey)" <jsalowey at cisco.com> writes:

> In addition to the one you raised its not
> clear that we could move to a hash other than MD5.  This is hard coded
> in RFC 4716.  While this probably isn't a problem know it could be a
> weakness in the future.  I'm pretty sure I've run into SSH
> implementations that display SHA-1 fingerprints as well.   I suppose we
> could have an encoding that was something like
> host-key-alg-hash-alg-fingerprint.

To upgrade from md5, I think the simplest way is to use a new
parameter name, like

  ssh://user at host.example.com?fingerprint-sha1=ssh-dss-xxxx...xx

or

  ssh://user at host.example.com?fingerprint-hash-of-the-day=ssh-dss-xxxx...xx

whenever there's a proper spec for non-md5 fingerprints.

/Niels

Follow-Ups:
- Re: Feedback from uri list
  - From: t.petch
- Re: Feedback from uri list
  - From: Steve Suehring

References:
- Feedback from uri list
  - From: Steve Suehring
- Re: Feedback from uri list
  - From: Jacob Nevins
- RE: Feedback from uri list
  - From: Joseph Salowey (jsalowey)

Prev by Date: Re: Feedback from uri list
Next by Date: Re: Feedback from uri list
Previous by thread: RE: Feedback from uri list
Next by thread: Re: Feedback from uri list
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.