ED25519 SSHFP in OpenSSH & IETF

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

ED25519 SSHFP in OpenSSH & IETF

Loganaden Velvindron
Hi All,

I've been working on a diff to get SSHFP support for ed25519 in OpenSSH.

SM has been working through the IETF process to obtain the SSHFP RR Type
number.

Despite getting "rough consensus", we still haven't heard anything from the
IETF Security Directors for the draft. SM sent a mail asking why it is taking
so long, and it appears that his mail was ignored.

Please see:
http://www.ietf.org/mail-archive/web/ietf/current/msg87189.html

This situation is rather unusual, and that makes me wonder what's
exactly going on there, as I believe that we've done our homework
correctly.

Maybe the OpenSSH community needs to get involved, so that we can
get work done :-) ?

Reply | Threaded
Open this post in threaded view
|

Re: ED25519 SSHFP in OpenSSH & IETF

Simon Perreault-3
Le 2014-04-09 12:47, Loganaden Velvindron a écrit :
> This situation is rather unusual, and that makes me wonder what's
> exactly going on there, as I believe that we've done our homework
> correctly.

UNUSUAL??? The IETF is notorious for its incredible delays. The
situation is typical IMHO.

Nobody in IETF is accountable for anything, so you rely on people's good
intentions. You need to poke the right people, and poke them again, and
poke someone who will know how to poke them, etc. etc. etc.

> Maybe the OpenSSH community needs to get involved, so that we can
> get work done :-) ?

If by "get involved" you mean swamping the IETF powers that be with
email, that would the wrong way to do it.

SM knows how to navigate the IETF waters. Let him do his job.

Simon

Reply | Threaded
Open this post in threaded view
|

Re: ED25519 SSHFP in OpenSSH & IETF

Theo de Raadt
In reply to this post by Loganaden Velvindron
> Le 2014-04-09 12:47, Loganaden Velvindron a écrit :
> > This situation is rather unusual, and that makes me wonder what's
> > exactly going on there, as I believe that we've done our homework
> > correctly.
>
> UNUSUAL??? The IETF is notorious for its incredible delays. The
> situation is typical IMHO.
>
> Nobody in IETF is accountable for anything, so you rely on people's good
> intentions. You need to poke the right people, and poke them again, and
> poke someone who will know how to poke them, etc. etc. etc.
>
> > Maybe the OpenSSH community needs to get involved, so that we can
> > get work done :-) ?
>
> If by "get involved" you mean swamping the IETF powers that be with
> email, that would the wrong way to do it.
>
> SM knows how to navigate the IETF waters. Let him do his job.

Alternatively, come to a realization that SSH is not controlled by the
IETF.

Reply | Threaded
Open this post in threaded view
|

Re: ED25519 SSHFP in OpenSSH & IETF

Giancarlo Razzolini-3
Em 09-04-2014 14:29, Theo de Raadt escreveu:
> Alternatively, come to a realization that SSH is not controlled by the
> IETF.
Let's be honest. Although SSHFP records are a great thing, very few
system administrators use it. I use it myself. But only in my internal
network and in my own resolver (using bind views). My external
authoritative server, and almost all of the hosted based ones, do not
have the possibility of adding SSHFP records. I use amazon's route53 and
since I use their failover and load balancing features, I must host my
records there. They don't have SSHFP records. They don't even have
DNSSEC for that matter. SSHFP without DNSSEC isn't that much useful. And
even then DNSSEC introduces problems on it's own.

I'm in favor of having IETF to assign a RR number for ed25519. But don't
sweat that much if they take an awfully long time to do it, since not
that many people uses SSHFP.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: ED25519 SSHFP in OpenSSH & IETF

Damien Miller
In reply to this post by Loganaden Velvindron
On Wed, 9 Apr 2014, Loganaden Velvindron wrote:

> Maybe the OpenSSH community needs to get involved, so that we can
> get work done :-) ?

I think "getting involved" will be a matter of us acting unilaterally
and just committing support for the new SSHFP code point.

-d

Reply | Threaded
Open this post in threaded view
|

Re: ED25519 SSHFP in OpenSSH & IETF

Theo de Raadt
In reply to this post by Loganaden Velvindron
>> Maybe the OpenSSH community needs to get involved, so that we can
>> get work done :-) ?
>
>I think "getting involved" will be a matter of us acting unilaterally
>and just committing support for the new SSHFP code point.

If that is what it takes to reserve a number these days...

It has been done before.