Key fingerprints (not the DNS kind)
Damien Miller
djm at mindrot.org
Mon Nov 10 11:11:12 EST 2014
On Mon, 10 Nov 2014, Damien Miller wrote:
> I'm not so concerned about how to display the new fingerprints. Say
> we choose SHA512/224, which yields a 28 byte hash. Rendering this as
> base64 gives us a 38 character string, well shorter than our current
> key fingerprints. (e.g. "GIeKHpiBrP7zaEf7Blicgvez5JceCBfSaESlkA")
Actually, better still would be embeddeding an algorithm identifier at
the start of the hash, i.e. "A:GIeKHpiBrP7zaEf7Blicgvez5JceCBfSaESlkA"
in case some time in the distant future we need to rotate away from
whatever we choose to replace MD5.
-d
More information about the openssh-unix-dev
mailing list