stephen.farrell at cs
Dec 6, 2011, 7:26 AM
Post #5 of 5
FYI - IETF last call for this has just gone out. 
Re: [saag] ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)
[In reply to]
Please comment on ietf [at] ietf if there are issues
that need to be raised.
On 11/23/2011 08:25 AM, Stephen Farrell wrote:
> Thanks Mark,
> Yes, I'm happy to AD sponsor. No one objected when I asked
> before and it seems quite reasonable.
> Ondřej - I'll start an IETF LC since there only seem to be
> typos to be fixed.
> On 11/23/2011 06:06 AM, Mark D. Baushke wrote:
>> Hi Daniel,
>> Daniel Kahn Gillmor<dkg [at] fifthhorseman> writes:
>>> hi folks:
>>> it looks like ssh-keygen -r can't export SSHFP records for ECDSA keys:
>>> 0 dkg [at] pi:/tmp/cdtemp.oiRYAS$ ssh-keygen -f foobar -t ecdsa -q -P ''
>>> 0 dkg [at] pi:/tmp/cdtemp.oiRYAS$ ssh-keygen -r foobar -f foobar.pub
>>> export_dns_rr: unsupported algorithm
>>> 0 dkg [at] pi:/tmp/cdtemp.oiRYAS$
>>> the first number in my prompt is the return code of the last command;
>>> note that ssh-keygen -r fails to produce an SSHFP DNS RR, but it
>>> returns 0.
>>> at the least, it should return non-zero on failure.
>>> I note that the relevant RFC doesn't include an enumeration for ECDSA:
>>> Could anyone on this list kick off the IETF process for allocating a new
>>> ID in that registry for ECDSA? I'm not currently involved in the IETF's
>>> Network Working Group so i don't really know the political landscape
>> I believe that the SSH development community will need to support this
>> which specifies values for both the ECDSA algorithm and a SHA-256
>> fingerprint algorithm.
>> RFC 4255 enumerates the RSA and DSS algorithms and the SHA-1 fingerprint
>> draft-os-ietf-sshfp-ecdsa-sha2-00 authored by O. Sury has a typo in the
>> draft suggesting that they update RFC 4225 which is wrong, but it seems
>> to be a simple typo as the body of the draft referecnes RFC 4255.
>> However, it does add ECDSA to the SSHFP RR types and SHA-256 to the
>> fingerprint types.
>> The draft expires on Dec 18, 2011.
>> This draft was sent to saag [at] ietf and the author also wrote a patch
>> for OpenSSH (portable) in
>> See the message thread here:
>> Stephen Farrell<stephen.farrell [at] cs> says that the author is
>> asking the AD to sponsor the work. And Warren Kumari<warren [at] kumari>
>> has added his support.
>> This seems like something that should be raised on the
>> ietf-ssh [at] NetBSD list with a CC to saag [at] ietf, so
>> I have added these to lists to my response to this message.
>> For the record, my vote is +1 for this draft.
>> -- Mark
>> saag mailing list
>> saag [at] ietf
> saag mailing list
> saag [at] ietf
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot