Re: Feedback from uri list

To: <ietf-ssh%netbsd.org@localhost>
Subject: Re: Feedback from uri list
From: "tom.petch" <cfinss%dial.pipex.com@localhost>
Date: Wed, 14 Oct 2009 15:04:56 +0200

 ----- Original Message -----
> From: "Niels Möller" <nisse%lysator.liu.se@localhost>
> Sent: Tuesday, October 13, 2009 3:26 PM
>
 > "Joseph Salowey (jsalowey)" <jsalowey%cisco.com@localhost> writes:
 >
 > > In addition to the one you raised its not
 > > clear that we could move to a hash other than MD5.  This is hard coded
 > > in RFC 4716.  While this probably isn't a problem know it could be a
 > > weakness in the future.  I'm pretty sure I've run into SSH
 > > implementations that display SHA-1 fingerprints as well.   I suppose we
 > > could have an encoding that was something like
 > > host-key-alg-hash-alg-fingerprint.
 >
 > To upgrade from md5, I think the simplest way is to use a new
 > parameter name, like
 >
 >   ssh://user%host.example.com@localhost?fingerprint-sha1=ssh-dss-xxxx...xx
 >
 > or
 >
 >   ssh://user%host.example.com@localhost?fingerprint-hash-of-the-day=ssh-dss-xxxx...xx
 >
 > whenever there's a proper spec for non-md5 fingerprints.

 syslog had a need for fingerprints, albeit not as part of a URI, and used
 the registry from RFC4572 for the hash algorithm.  syslog mandates sha-1
 and the fingerprint has the format
     sha-1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D
 upper case, colon separated.

 Tom Petch
>
 > /Niels
>

Prev by Date: Re: Feedback from uri list
Next by Date: Re: Feedback from uri list
Previous by Thread: Re: Feedback from uri list
Next by Thread: draft-igoe-secsh-x509v3-00
Indexes:

Home | Main Index | Thread Index | Old Index