Support for ECDSA and SHA-2 (SHA-256) in the SSHFP record

Ondřej Surý ondrej.sury at nic.cz
Sun Jul 31 10:54:41 EST 2011 

Hi Damien,

On 30. 7. 2011, at 14:21, Damien Miller wrote:

> Thanks for starting work on this - SSHFP records for ECDSA keys were on
> my TODO list, but I haven't yet got around to them.

> I briefly skimmed your draft - one question I have is whether it is
> better to roll up all the ECDSA key types under one SSHFP RR type.
> It would be quite ugly to have to allocate SSHFP RR type numbers for
> each possible ECDSA curve type, but using a single one might make
> exploitation of SHA256 preimage attacks easier.

My knowledge of cryptography is not so strong, so that's probably good question for security area advisory group as well.

> The latter is a theoretical concern, so I think a single RR type is
> probably correct.

I'll be happy to accept any changes to the draft.  I already had the different ECDSA curves in the draft, but it was suggested by my fellow AD that one is probably enough.

> It would probably be best to continue discussion of this on the IETF SSH
> list.

I thought that secsh was concluded, but it seems that the mailing list is still up.  Ccing there as well.

Anyone who responds please get rid of openssh-unix-dev list when replying, so we don't spam them with ietf flames :)

O.

> On Thu, 28 Jul 2011, Ond?ej Sur? wrote:
> 
>> Hi,
>> 
>> I was sure I sent this to openssh at openssh.com, but cannot find that email now in my Sent mailbox, so I am sending it to the developers list.
>> 
>> I took a liberty and wrote an I-D with accompanying patch (with contributions from Ondrej Caletka) to support ECDSA in the SSHFP DNS resource record.
>> 
>> The I-D is here: https://tools.ietf.org/html/draft-os-ietf-sshfp-ecdsa-sha2 (and the source XML here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/draft-os-ietf-sshfp-ecdsa-sha2-00.xml)
>> 
>> The patch to vanilla 5.8 here: https://git.nic.cz/redmine/projects/ietf/repository/revisions/master/changes/ssh-sshfp-ecdsa.patch
>> 
>> Please Cc: me as I am not (and don't intend to be) subscribed to the list.  I will check the archives occasionally, but Cc: would be appreciated.
>> 
>> Thanks,
>> O.
>> --
>> Ond?ej Sur?
>> vedouc? v?zkumu/Head of R&D department
>> -------------------------------------------
>> CZ.NIC, z.s.p.o.    --    Laborato?e CZ.NIC
>> Americka 23, 120 00 Praha 2, Czech Republic
>> mailto:ondrej.sury at nic.cz    http://nic.cz/
>> tel:+420.222745110       fax:+420.222745112
>> -------------------------------------------
>> 
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>> 

--
 Ondřej Surý
 vedoucí výzkumu/Head of R&D department
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury at nic.cz    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------

More information about the openssh-unix-dev mailing list