Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record

[Ondřej Surý <ondrej.sury%nic.cz@localhost>]

Hi Ben,

On 5. 9. 2011, at 12:02, Ben Laurie wrote:
> On Mon, Sep 5, 2011 at 2:16 AM, Damien Miller <djm%mindrot.org@localhost> wrote:
>> 
>> Did anyone on this list have any comment on
>> https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2
> 
> Makes sense to me _except_ it refers to RFC 4255 for the format of the
> resource record, and implicitly for the calculation of the
> fingerprint. RFC 4255 refers to RFC 4253 for the fingerprint
> calculation. However, 4253 doesn't mention fingerprints at all. Or I'm
> missing something.

I think that 4255 refers to 4253 for "public key blob" and not calculating
the fingerprint.

> Anyway, bottom line is I don't know how to calculate the fingerprint :-)


Looks like the RFC4255 #3.1.3 could be more clearer than:

   The message-digest algorithm is presumed to produce an opaque octet
   string output, which is placed as-is in the RDATA fingerprint field.

But the question is - is it worth updating in this particular I-D?  Isn't
this more an errata for RFC4255 type of update?

I don't mind adding a paragraph or two about the calculation of the fingerprint,
but it seems to be awfully close to our legislation process when you can update
non-related law as an attachment to an different law.  And this scares me.

Ccing Jakob as an author of RFC4255.

O.
--
 Ondřej Surý
 vedoucí výzkumu/Head of R&D department
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------