[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Feedback from uri list

From: "denis bider \(Bitvise\)" <ietf-ssh2 at denisbider.com>
To: <ietf-ssh at netbsd.org>
Date: Thu, 15 Oct 2009 04:31:04 -0400
In-reply-to: <nn4oq3tom9.fsf at stalhein.lysator.liu.se>
References: <20091009203714.GA18094 at braingia.org><20091011205317.GD16377 at chiark.greenend.org.uk> <nn4oq3tom9.fsf at stalhein.lysator.liu.se>

Niels suggested:

> ssh://user at host.example.com?fingerprint=ssh-dss-c1b13029d7b8de6c977710d746416387

I like that proposal because I think the separator characters in the 
fingerprint (such as '-' or ':') are superfluous, unnecessary, 
redundant. :)

I suggest the following variation - wrapped for clarity:

ssh://user at host.example.com
  ?fp-md5-ssh-dss=c1b13029d7b8de6c977710d746416387
  &fp-sha1-ssh-rsa=0c112b31435062798d7b8de6c977710d746416387

Nice, short, and to the point.

Everything after "fp-" and before the second dash is the hash algorithm. 
Everything after the second dash is the host key algorithm.

This allows more freedom for the host key algorithm than the hash. I 
expect it's more likely that important use cases will require unusual 
host key algorithms (e.g. certificates, eliptic curves) than that they 
will require unexpected hashes.

I suppose you need the "ssh-dss" or "ssh-rsa" part so that you can pick 
the right algorithm(s) for host key negotiation.

denis

Follow-Ups:
- Re: Feedback from uri list
  - From: Jeffrey Hutzelman

References:
- Feedback from uri list
  - From: Steve Suehring
- Re: Feedback from uri list
  - From: Jacob Nevins
- Re: Feedback from uri list
  - From: Niels Möller

Prev by Date: Re: Feedback from uri list
Next by Date: Re: Feedback from uri list
Previous by thread: Re: Feedback from uri list
Next by thread: Re: Feedback from uri list
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.