Fwd: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record

[Ondřej Surý <ondrej.sury%nic.cz@localhost>]

[Forgot to Cc: to secsh]

Begin forwarded message:

> From: Ondřej Surý <ondrej.sury%nic.cz@localhost>
> Subject: Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
> Date: 30. července 2011 20:54:41 GMT-04:00
> To: Damien Miller <djm%mindrot.org@localhost>
> Cc: openssh-unix-dev%mindrot.org@localhost, jakob%openbsd.org@localhost, saag%ietf.org@localhost
> 
> Hi Damien,
> 
> On 30. 7. 2011, at 14:21, Damien Miller wrote:
> 
>> Thanks for starting work on this - SSHFP records for ECDSA keys were on
>> my TODO list, but I haven't yet got around to them.
> 
>> I briefly skimmed your draft - one question I have is whether it is
>> better to roll up all the ECDSA key types under one SSHFP RR type.
>> It would be quite ugly to have to allocate SSHFP RR type numbers for
>> each possible ECDSA curve type, but using a single one might make
>> exploitation of SHA256 preimage attacks easier.
> 
> My knowledge of cryptography is not so strong, so that's probably good question for security area advisory group as well.
> 
>> The latter is a theoretical concern, so I think a single RR type is
>> probably correct.
> 
> I'll be happy to accept any changes to the draft.  I already had the different ECDSA curves in the draft, but it was suggested by my fellow AD that one is probably enough.
> 
>> It would probably be best to continue discussion of this on the IETF SSH
>> list.
> 
> I thought that secsh was concluded, but it seems that the mailing list is still up.  Ccing there as well.
> 
> Anyone who responds please get rid of openssh-unix-dev list when replying, so we don't spam them with ietf flames :)
> 
> O.
> 
>> On Thu, 28 Jul 2011, Ond?ej Sur? wrote:
>> 
>>> Hi,
>>> 
>>> I was sure I sent this to openssh%openssh.com@localhost, but cannot find that email now in my Sent mailbox, so I am sending it to the developers list.
>>> 
>>> I took a liberty and wrote an I-D with accompanying patch (with contributions from Ondrej Caletka) to support ECDSA in the SSHFP DNS resource record.
>>> 
>>> The I-D is here: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2 (and the source XML here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/draft-os-ietf-sshfp-ecdsa-sha2-00.xml)
>>> 
>>> The patch to vanilla 5.8 here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/ssh-sshfp-ecdsa.patch
>>> 
>>> Please Cc: me as I am not (and don't intend to be) subscribed to the list.  I will check the archives occasionally, but Cc: would be appreciated.
>>> 
>>> Thanks,
>>> O.
>>> --
>>> Ond?ej Sur?
>>> vedouc? v?zkumu/Head of R&D department
>>> -------------------------------------------
>>> CZ.NIC, z.s.p.o.    --    Laborato?e CZ.NIC
>>> Americka 23, 120 00 Praha 2, Czech Republic
>>> mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
>>> tel:+420.222745110       fax:+420.222745112
>>> -------------------------------------------
>>> 
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev%mindrot.org@localhost
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>> 
> 
> --
> Ondřej Surý
> vedoucí výzkumu/Head of R&D department
> -------------------------------------------
> CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
> Americka 23, 120 00 Praha 2, Czech Republic
> mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
> tel:+420.222745110       fax:+420.222745112
> -------------------------------------------
> 

--
 Ondřej Surý
 vedoucí výzkumu/Head of R&D department
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------