> > Everything after "fp-" and before the second dash > > is the hash algorithm. > This presupposes that hash algorithm names contain no dashes. No, it presupposes that new hash algorithms come around infrequently enough that people can settle on names for them that don't contain dashes. > > I suppose you need the "ssh-dss" or "ssh-rsa" part > > so that you can pick the right algorithm(s) for host > > key negotiation. > No, you don't. SSH has algorithm negotiation; > a client doesn't need to be told up front what > algorithms to use. Yes, you do. SSH has algorithm negotiation. The SSH URL specifies a fingerprint of one or more of the server's public keys. If the client doesn't know in advance the algorithm of the host key for which the fingerprint is provided, the client might negotiate the wrong host key algorithm, and end up with a different key that is a mismatch to the one for which the client has the fingerprint. If you are okay restrict yourself to only ONE hash and host key algorithm combination per SSH URL, then a syntax such as the following would be cleanest: ssh://user at host.example.com ?fp=c1b13029d7b8de6c977710d746416387 &hash=md5 &keyalg=ssh-dss But this restricts you as explained above. If you want it possible for an SSH URI to contain an unrestricted combination of fingerprints for various host key algorithms and using various hash functions, then you need something like I proposed before: ssh://user at host.example.com ?fp-md5-ssh-dss=c1b13029d7b8de6c977710d746416387 &fp-sha1-ssh-rsa=0c112b31435062798d7b8de6c977710d746416387
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.