Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record

To: Ondřej Surý <ondrej.sury%nic.cz@localhost>
Subject: Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
From: Ben Laurie <ben%links.org@localhost>
Date: Mon, 5 Sep 2011 12:12:43 +0100

On Mon, Sep 5, 2011 at 11:11 AM, Ondřej Surý <ondrej.sury%nic.cz@localhost> wrote:
> Hi Ben,
>
> On 5. 9. 2011, at 12:02, Ben Laurie wrote:
>> On Mon, Sep 5, 2011 at 2:16 AM, Damien Miller <djm%mindrot.org@localhost> wrote:
>>>
>>> Did anyone on this list have any comment on
>>> https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2
>>
>> Makes sense to me _except_ it refers to RFC 4255 for the format of the
>> resource record, and implicitly for the calculation of the
>> fingerprint. RFC 4255 refers to RFC 4253 for the fingerprint
>> calculation. However, 4253 doesn't mention fingerprints at all. Or I'm
>> missing something.
>
> I think that 4255 refers to 4253 for "public key blob" and not calculating
> the fingerprint.

Well, OK, but "public key blob" does not appear in 4253 either. And
even if it did, it would not be completely obvious how to calculate
the fingerprint from it (presumably just feed the bytes to the hash
algorithm, but...)

>
>> Anyway, bottom line is I don't know how to calculate the fingerprint :-)
>
>
> Looks like the RFC4255 #3.1.3 could be more clearer than:
>
>   The message-digest algorithm is presumed to produce an opaque octet
>   string output, which is placed as-is in the RDATA fingerprint field.
>
> But the question is - is it worth updating in this particular I-D?  Isn't
> this more an errata for RFC4255 type of update?

Yes.

> I don't mind adding a paragraph or two about the calculation of the fingerprint,
> but it seems to be awfully close to our legislation process when you can update
> non-related law as an attachment to an different law.  And this scares me.
>
> Ccing Jakob as an author of RFC4255.
>
> O.
> --
>  Ondřej Surý
>  vedoucí výzkumu/Head of R&D department
>  -------------------------------------------
>  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
>  Americka 23, 120 00 Praha 2, Czech Republic
>  mailto:ondrej.sury%nic.cz@localhost    http://nic.cz/
>  tel:+420.222745110       fax:+420.222745112
>  -------------------------------------------
>
>

Follow-Ups:
- Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
  - From: Ondřej Surý

References:
- Fwd: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
  - From: Ondřej Surý
- Re: Fwd: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
  - From: Damien Miller
- Re: Fwd: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
  - From: Ben Laurie
- Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
  - From: Ondřej Surý

Prev by Date: Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Next by Date: Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Previous by Thread: Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Next by Thread: Re: Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record
Indexes:

Home | Main Index | Thread Index | Old Index