Re: Feedback from uri list

["denis bider \(Bitvise\)" <ietf-ssh2%denisbider.com@localhost>]

> > Everything after "fp-" and before the second dash
> > is the hash algorithm.
> This presupposes that hash algorithm names contain no dashes.

No, it presupposes that new hash algorithms come around infrequently 
enough that people can settle on names for them that don't contain 
dashes.


> > I suppose you need the "ssh-dss" or "ssh-rsa" part
> > so that you can pick the right algorithm(s) for host
> > key negotiation.
> No, you don't.  SSH has algorithm negotiation;
> a client doesn't need to be told up front what
> algorithms to use.

Yes, you do. SSH has algorithm negotiation. The SSH URL specifies a 
fingerprint of one or more of the server's public keys. If the client 
doesn't know in advance the algorithm of the host key for which the 
fingerprint is provided, the client might negotiate the wrong host key 
algorithm, and end up with a different key that is a mismatch to the one 
for which the client has the fingerprint.

If you are okay restrict yourself to only ONE hash and host key 
algorithm combination per SSH URL, then a syntax such as the following 
would be cleanest:

ssh://user%host.example.com@localhost
  ?fp=c1b13029d7b8de6c977710d746416387
  &hash=md5
  &keyalg=ssh-dss

But this restricts you as explained above.

If you want it possible for an SSH URI to contain an unrestricted 
combination of fingerprints for various host key algorithms and using 
various hash functions, then you need something like I proposed before:

ssh://user%host.example.com@localhost
  ?fp-md5-ssh-dss=c1b13029d7b8de6c977710d746416387
  &fp-sha1-ssh-rsa=0c112b31435062798d7b8de6c977710d746416387