> which, syntactically, is providing conflicting values to a > single parameter. That's whence the attempt to move the > to the left side of the equal sign in some way. Yes, exactly. > It's ugly, but you could base64-encode both: A form of base64-encoding is an option if the goal is to fully preserve SSH algorithm names at the expense of human readability and manageability. Something like base64-encoding would also permit any kind of private algorithm name to be expressed. The major drawback is that human readability and manageability of SSH URIs would be drastically reduced this way. But in the vast majority of cases, the algorithms used would be completely standard and predictable ones which could have very practical names. How about this approach: (1) The fingerprint parameter name is of the form fp-<hashAlg>-<hostKeyAlg>. (2) A few shorthand parameter names are defined for commonly used algorithms, so the following commonly used combinations (and possibly more) can be easily expressed: fp-md5-rsa, fp-md5-dss, fp-sha1-rsa, fp-sha1-dss. (2) If either <hashAlg> or <hostKeyAlg> is something that doesn't have one of these common names, it is prefixed with '+' instead of '-', and represented in a version of base64 that doesn't pick any unwelcome characters as the extra two in the alphabet. Examples: fp+bWQ1-rsa fp-sha1+c3NoLXJzYQ fp+bWQ1+c3NoLXJzYQ
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.