Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record

To: Damien Miller <djm%mindrot.org@localhost>
Subject: Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
From: Ondřej Surý <ondrej.sury%nic.cz@localhost>
Date: Mon, 5 Sep 2011 08:10:53 +0200

Hi Damien,

the implementation for OpenSSH is already done and working (see the link to git
named patch for vanilla 5.8 below in the first mail).

Ondrej

On 5. 9. 2011, at 3:16, Damien Miller wrote:

> 
> Did anyone on this list have any comment on 
> https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2
> 
> It seemed pretty reasonable to me, and I'd like to move ahead implementing
> it in OpenSSH particularly for the ECDSA support.
> 
> -d
> 
> On Sat, 30 Jul 2011, Ond?ej Sur? wrote:
> 
>>> On 30. 7. 2011, at 14:21, Damien Miller wrote:
>>> 
>>>> Thanks for starting work on this - SSHFP records for ECDSA keys were on
>>>> my TODO list, but I haven't yet got around to them.
>>> 
>>>> I briefly skimmed your draft - one question I have is whether it is
>>>> better to roll up all the ECDSA key types under one SSHFP RR type.
>>>> It would be quite ugly to have to allocate SSHFP RR type numbers for
>>>> each possible ECDSA curve type, but using a single one might make
>>>> exploitation of SHA256 preimage attacks easier.
>>> 
>>> My knowledge of cryptography is not so strong, so that's probably good question for security area advisory group as well.
>>> 
>>>> The latter is a theoretical concern, so I think a single RR type is
>>>> probably correct.
>>> 
>>> I'll be happy to accept any changes to the draft.  I already had the different ECDSA curves in the draft, but it was suggested by my fellow AD that one is probably enough.
>>> 
>>>> It would probably be best to continue discussion of this on the IETF SSH
>>>> list.
>>> 
>>> I thought that secsh was concluded, but it seems that the mailing list is still up.  Ccing there as well.
>>> 
>>> Anyone who responds please get rid of openssh-unix-dev list when replying, so we don't spam them with ietf flames :)
>>> 
>>> O.
>>> 
>>>> On Thu, 28 Jul 2011, Ond?ej Sur? wrote:
>>>> 
>>>>> Hi,
>>>>> 
>>>>> I was sure I sent this to openssh%openssh.com@localhost, but cannot find that email now in my Sent mailbox, so I am sending it to the developers list.
>>>>> 
>>>>> I took a liberty and wrote an I-D with accompanying patch (with contributions from Ondrej Caletka) to support ECDSA in the SSHFP DNS resource record.
>>>>> 
>>>>> The I-D is here: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2 (and the source XML here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/draft-os-ietf-sshfp-ecdsa-sha2-00.xml)
>>>>> 
>>>>> The patch to vanilla 5.8 here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/ssh-sshfp-ecdsa.patch
>>>>> 
>>>>> Please Cc: me as I am not (and don't intend to be) subscribed to the list.  I will check the archives occasionally, but Cc: would be appreciated.
>>>>> 
>>>>> Thanks,
>>>>> O.
>>>>> --
>>>>> Ond?ej Sur?
>>>>> vedouc? v?zkumu/Head of R&D department
>>>>> -------------------------------------------
>>>>> CZ.NIC, z.s.p.o.    --    Laborato?e CZ.NIC
>>>>> Americka 23, 120 00 Praha 2, Czech Republic
>>>>> mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
>>>>> tel:+420.222745110       fax:+420.222745112
>>>>> -------------------------------------------
>>>>> 
>>>>> _______________________________________________
>>>>> openssh-unix-dev mailing list
>>>>> openssh-unix-dev%mindrot.org@localhost
>>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>>> 
>>> 
>>> --
>>> Ond?ej Sur?
>>> vedouc? v?zkumu/Head of R&D department
>>> -------------------------------------------
>>> CZ.NIC, z.s.p.o.    --    Laborato?e CZ.NIC
>>> Americka 23, 120 00 Praha 2, Czech Republic
>>> mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
>>> tel:+420.222745110       fax:+420.222745112
>>> -------------------------------------------
>>> 
>> 
>> --
>> Ond?ej Sur?
>> vedouc? v?zkumu/Head of R&D department
>> -------------------------------------------
>> CZ.NIC, z.s.p.o.    --    Laborato?e CZ.NIC
>> Americka 23, 120 00 Praha 2, Czech Republic
>> mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
>> tel:+420.222745110       fax:+420.222745112
>> -------------------------------------------
>> 
>> 

--
 Ondřej Surý
 vedoucí výzkumu/Head of R&D department
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------

Follow-Ups:
- Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
  - From: Damien Miller

References:
- Fwd: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
  - From: Ondřej Surý
- Re: Fwd: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
  - From: Damien Miller

Prev by Date: Re: Fwd: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Next by Date: Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Previous by Thread: Re: Fwd: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Next by Thread: Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Indexes:

Home | Main Index | Thread Index | Old Index