Re: Fwd: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record

[Damien Miller <djm%mindrot.org@localhost>]

Did anyone on this list have any comment on 
https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2

It seemed pretty reasonable to me, and I'd like to move ahead implementing
it in OpenSSH particularly for the ECDSA support.

-d

On Sat, 30 Jul 2011, Ond?ej Sur? wrote:

> > On 30. 7. 2011, at 14:21, Damien Miller wrote:
> > 
> >> Thanks for starting work on this - SSHFP records for ECDSA keys were on
> >> my TODO list, but I haven't yet got around to them.
> > 
> >> I briefly skimmed your draft - one question I have is whether it is
> >> better to roll up all the ECDSA key types under one SSHFP RR type.
> >> It would be quite ugly to have to allocate SSHFP RR type numbers for
> >> each possible ECDSA curve type, but using a single one might make
> >> exploitation of SHA256 preimage attacks easier.
> > 
> > My knowledge of cryptography is not so strong, so that's probably good question for security area advisory group as well.
> > 
> >> The latter is a theoretical concern, so I think a single RR type is
> >> probably correct.
> > 
> > I'll be happy to accept any changes to the draft.  I already had the different ECDSA curves in the draft, but it was suggested by my fellow AD that one is probably enough.
> > 
> >> It would probably be best to continue discussion of this on the IETF SSH
> >> list.
> > 
> > I thought that secsh was concluded, but it seems that the mailing list is still up.  Ccing there as well.
> > 
> > Anyone who responds please get rid of openssh-unix-dev list when replying, so we don't spam them with ietf flames :)
> > 
> > O.
> > 
> >> On Thu, 28 Jul 2011, Ond?ej Sur? wrote:
> >> 
> >>> Hi,
> >>> 
> >>> I was sure I sent this to openssh%openssh.com@localhost, but cannot find that email now in my Sent mailbox, so I am sending it to the developers list.
> >>> 
> >>> I took a liberty and wrote an I-D with accompanying patch (with contributions from Ondrej Caletka) to support ECDSA in the SSHFP DNS resource record.
> >>> 
> >>> The I-D is here: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2 (and the source XML here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/draft-os-ietf-sshfp-ecdsa-sha2-00.xml)
> >>> 
> >>> The patch to vanilla 5.8 here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/ssh-sshfp-ecdsa.patch
> >>> 
> >>> Please Cc: me as I am not (and don't intend to be) subscribed to the list.  I will check the archives occasionally, but Cc: would be appreciated.
> >>> 
> >>> Thanks,
> >>> O.
> >>> --
> >>> Ond?ej Sur?
> >>> vedouc? v?zkumu/Head of R&D department
> >>> -------------------------------------------
> >>> CZ.NIC, z.s.p.o.    --    Laborato?e CZ.NIC
> >>> Americka 23, 120 00 Praha 2, Czech Republic
> >>> mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
> >>> tel:+420.222745110       fax:+420.222745112
> >>> -------------------------------------------
> >>> 
> >>> _______________________________________________
> >>> openssh-unix-dev mailing list
> >>> openssh-unix-dev%mindrot.org@localhost
> >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >>> 
> > 
> > --
> > Ond?ej Sur?
> > vedouc? v?zkumu/Head of R&D department
> > -------------------------------------------
> > CZ.NIC, z.s.p.o.    --    Laborato?e CZ.NIC
> > Americka 23, 120 00 Praha 2, Czech Republic
> > mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
> > tel:+420.222745110       fax:+420.222745112
> > -------------------------------------------
> > 
> 
> --
>  Ond?ej Sur?
>  vedouc? v?zkumu/Head of R&D department
>  -------------------------------------------
>  CZ.NIC, z.s.p.o.    --    Laborato?e CZ.NIC
>  Americka 23, 120 00 Praha 2, Czech Republic
>  mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
>  tel:+420.222745110       fax:+420.222745112
>  -------------------------------------------
> 
>