IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Feedback from uri list



"denis bider \(Bitvise\)" <ietf-ssh2%denisbider.com@localhost> writes:

> To go further - you could just make it a rule that any algorithm names 
> that contain dashes get the dashes stripped.

I think it's very ugly to specify such an arbitrary munging of
characters. There is a well defined namespace and procedures for ssh
algorithm names. When refering to algorithms used in the SSH protocol,
those names ought to be used, and used properly.

This URI syntax should defined so that either we need no separator
character to separate multiple algorithm names within a parameter or
value, or we use the single separator character which is not allowed in
an ssh name, ",". Ok, that's not allowed in an URI (at least a
previous mail in this thread said so), but it can be hex-escaped,
right?

Anyway, I'd favor

  fp-md5=ssh-dss-c1b13029d7b8de6c977710d746416387

or the more verbose

  fingerprint-md5=ssh-dss-c1b13029d7b8de6c977710d746416387
  
Theres no ambiguity in the value, since the fingerprint value can't
contain any dashes. The string before the last dash in the value is a
proper ssh parameter name (and if anybody defines a name including &
or ? or other uri magic characters, they should obviously be
hex-escaped. Thinking about it, @ seems to be the most likely
problematic character in practice, if that character is still magic in
this context. Unfortunately, I'm not so familiar with URI syntax
details).

And for the parameter name, don't think about it as family
fingerprint-<arbitrary hash algorithm name>, but as one *particular*
parameter, the meaning of which is defined precisely in the ssh-uri
document. The meaning of fingerprint-hash-of-the-day is at this point
not specified at all.

And I think another reason why I dislike

  fp-md5-sshdss=

is that it in seems to defines a whole family of parameters. I'd prefer
a small and *limited* set of parameter names, and then everything that
is intended to be general and unlimited, such as "any hostkey algorithm
that can be used in some current or future implementation of the SSH
protocol" belongs in some *value*, not in a parameter name.

Regards,
/Niels



Home | Main Index | Thread Index | Old Index