Thanks Mark,
Yes, I'm happy to AD sponsor. No one objected when I asked
before and it seems quite reasonable.
Ondřej - I'll start an IETF LC since there only seem to be
typos to be fixed.
Cheers,
S.
On 11/23/2011 06:06 AM, Mark D. Baushke wrote:
Hi Daniel,
Daniel Kahn Gillmor<dkg%fifthhorseman.net@localhost> writes:
hi folks:
it looks like ssh-keygen -r can't export SSHFP records for ECDSA keys:
0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P ''
0 dkg@pip:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub
export_dns_rr: unsupported algorithm
0 dkg@pip:/tmp/cdtemp.oiRYAS$
the first number in my prompt is the return code of the last command;
note that ssh-keygen -r fails to produce an SSHFP DNS RR, but it
returns 0.
at the least, it should return non-zero on failure.
I note that the relevant RFC doesn't include an enumeration for ECDSA:
https://tools.ietf.org/html/rfc4255#section-3.1.1
Could anyone on this list kick off the IETF process for allocating a new
ID in that registry for ECDSA? I'm not currently involved in the IETF's
Network Working Group so i don't really know the political landscape
there.
I believe that the SSH development community will need to support this
effort:
http://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2-00
which specifies values for both the ECDSA algorithm and a SHA-256
fingerprint algorithm.
RFC 4255 enumerates the RSA and DSS algorithms and the SHA-1 fingerprint
type.
draft-os-ietf-sshfp-ecdsa-sha2-00 authored by O. Sury has a typo in the
draft suggesting that they update RFC 4225 which is wrong, but it seems
to be a simple typo as the body of the draft referecnes RFC 4255.
However, it does add ECDSA to the SSHFP RR types and SHA-256 to the
fingerprint types.
The draft expires on Dec 18, 2011.
This draft was sent to saag%ietf.org@localhost and the author also wrote a patch
for OpenSSH (portable) in
https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/entry/ssh-sshfp-ecdsa.patch
See the message thread here:
http://www.ietf.org/mail-archive/web/saag/current/msg03326.html
http://www.ietf.org/mail-archive/web/saag/current/msg03327.html
Stephen Farrell<stephen.farrell%cs.tcd.ie@localhost> says that the author is
asking the AD to sponsor the work. And Warren Kumari<warren%kumari.net@localhost>
has added his support.
This seems like something that should be raised on the
ietf-ssh%NetBSD.org@localhost list with a CC to saag%ietf.org@localhost, so
I have added these to lists to my response to this message.
For the record, my vote is +1 for this draft.
-- Mark
_______________________________________________
saag mailing list
saag%ietf.org@localhost
https://www.ietf.org/mailman/listinfo/saag
_______________________________________________
saag mailing list
saag%ietf.org@localhost
https://www.ietf.org/mailman/listinfo/saag