Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
draft-ietf-secsh-dns-05
Revision differences
Document history
| Date | Rev. | By | Action |
|---|---|---|---|
|
2003-09-17
|
05 | Natalia Syracuse | State Changes to RFC Ed Queue from Approved-announcement sent by Natalia Syracuse |
|
2003-09-12
|
05 | Amy Vezza | IESG state changed to Approved-announcement sent |
|
2003-09-12
|
05 | Amy Vezza | IESG has approved the document |
|
2003-09-12
|
05 | Amy Vezza | Closed "Approve" ballot |
|
2003-09-05
|
05 | (System) | New version available: draft-ietf-secsh-dns-05.txt |
|
2003-09-04
|
05 | Russ Housley | State Changes to IESG Evaluation from IESG Evaluation::Point Raised - writeup needed by Russ Housley |
|
2003-09-04
|
05 | Russ Housley | Authors have responded to DISCUSS comments from Thomas Narten and Randy Bush. |
|
2003-09-04
|
05 | Russ Housley | Status date has been changed to 2003-09-04 from 2003-07-15 |
|
2003-08-11
|
05 | Michael Lee | Removed from agenda for telechat - 2003-08-07 by Michael Lee |
|
2003-08-07
|
05 | Amy Vezza | State Changes to IESG Evaluation::Point Raised - writeup needed from IESG Evaluation by Amy Vezza |
|
2003-08-05
|
05 | (System) | [Ballot Position Update] New position, Yes, has been recorded for Russ Housley |
|
2003-08-05
|
05 | (System) | [Ballot Position Update] Position for Ted Hardie has been changed to No Objection from No Record |
|
2003-08-05
|
05 | (System) | [Ballot Position Update] New position, Yes, has been recorded for Steven Bellovin |
|
2003-08-05
|
05 | (System) | [Ballot Position Update] Position for Randy Bush has been changed to Discuss from No Record |
|
2003-08-05
|
05 | Ted Hardie | [Ballot comment] In the text: While some security-conscious users verify the fingerprint out-of-band before accepting the key, … [Ballot comment] In the text: While some security-conscious users verify the fingerprint out-of-band before accepting the key, many users blindly accepts the presented key. accepts should probably be accept. In the references, this refers to RFC 2535 and nothing else; an updated reference would be good. |
|
2003-07-30
|
05 | (System) | Ballot has been issued |
|
2003-07-30
|
05 | Randy Bush | [Ballot discuss] 1. Introduction The SSH [5] protocol provides secure remote login and other secure network services over an … [Ballot discuss] 1. Introduction The SSH [5] protocol provides secure remote login and other secure network services over an insecure network. The security of the connection relies on the server authenticating itself to the client. it also relies on the user on the client host authenticating themself to the server. though this is not germane to this document, the above statement could be dangerous out of context. --- Server authentication is normally done by presenting the fingerprint of an unknown public key to the user for verification. the public key is not unknown, in fact the opposite. if it was unknown, then all ssh would offer is being able to talk to the same liar all the time. :-) perhaps "unique" is what was meant? --- 2.4 Authentication A public key verified using this method MUST only be trusted if the SSHFP resource record (RR) used for verification was authenticated by a trusted SIG RR. may want to say that the trust must either come from a validated trust descent from the root or from a validated descent from a zone trusted because of a locally known association. --- The overall security of using SSHFP for SSH host key verification is dependent on detailed aspects of how verification is done in SSH implementations. and of the practices of securing the data inserted in the SSHFP RR in the dns and in the client host's diligence in accessing those data securely. c.f. the discussion on draft-ietf-dnsext-ad-is-secure-06.txt --- nits: fingerprint out-of-band before accepting the key, many users blindly accepts the presented key. ^ - algorithm and fingerprint of the key received from the SSH server matches the algorithm and fingerprint of one of the SSHFP resource ^^ - A message digest of the public key, using the message digest algorithm specified in the SSHFP fingerprint type, MUST match the SSH FP fingerprint. ^ - 3.2 Presentation Format of the SSHFP RR The presentation format of the SSHFP resource record consists of two numbers (algorithm and fingerprint type) followed by the fingerprint itself presented in hex, e.g: host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890 well bad wording, actually, as the example shows, the presentation format consists of the label, the RR type, SSHFP, and ... randy |
|
2003-07-30
|
05 | Randy Bush | Created "Approve" ballot |
|
2003-07-30
|
05 | (System) | Ballot writeup text was added |
|
2003-07-30
|
05 | (System) | Last call text was added |
|
2003-07-30
|
05 | (System) | Ballot approval text was added |
|
2003-07-16
|
05 | Michael Lee | State Changes to IESG Evaluation from Waiting for Writeup by Lee, Michael |
|
2003-07-15
|
05 | Russ Housley | Status date has been changed to 2003-7-15 from 2003-03-28 |
|
2003-07-15
|
05 | Russ Housley | State Changes to Waiting for Writeup from In Last Call by Housley, Russ |
|
2003-05-05
|
05 | Jacqueline Hargest | State Changes to In Last Call from Last Call Requested by Hargest, Jacqueline |
|
2003-05-05
|
05 | (System) | Last call sent |
|
2003-04-10
|
05 | Russ Housley | State Changes to Last Call Requested from AD Evaluation :: External Party by Housley, Russ |
|
2003-04-02
|
04 | (System) | New version available: draft-ietf-secsh-dns-04.txt |
|
2003-03-28
|
05 | Russ Housley | Status date has been changed to 2003-03-28 from 2003-03-27 |
|
2003-03-28
|
05 | Russ Housley | State Changes to AD Evaluation :: External Party from Publication Requested by Housley, Russ |
|
2003-03-27
|
05 | Russ Housley | Working group chair requested IESG review and eventual publication as a Proposed Standard. |
|
2003-03-27
|
05 | Russ Housley | Draft Added by Housley, Russ |
|
2003-03-26
|
03 | (System) | New version available: draft-ietf-secsh-dns-03.txt |
|
2003-01-13
|
02 | (System) | New version available: draft-ietf-secsh-dns-02.txt |
|
2002-11-06
|
01 | (System) | New version available: draft-ietf-secsh-dns-01.txt |
|
2002-08-13
|
00 | (System) | New version available: draft-ietf-secsh-dns-00.txt |