mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 15:45:25 +00:00
Code Issues Releases Wiki Activity

new draft

Browse Source
This commit is contained in:
Mark Andrews
2003-05-06 00:27:43 +00:00
parent ebb9c914f2
commit 9d7c102897
1 changed files with 238 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

363
doc/draft/draft-ietf-secsh-dns-01.txt → doc/draft/draft-ietf-secsh-dns-04.txt
View File

@@ -1,13 +1,15 @@
Secure Shell Working Group J. Schlyter Secure Shell Working Group J. Schlyter
Internet-Draft Carlstedt Research & Internet-Draft Carlstedt Research &
Expires: May 4, 2003 Technology Expires: October 1, 2003 Technology
W. Griffin W. Griffin
Network Associates Laboratories Network Associates Laboratories
November 3, 2002 April 2, 2003
Using DNS to securely publish SSH key fingerprints Using DNS to securely publish SSH key fingerprints
draft-ietf-secsh-dns-01.txt draft-ietf-secsh-dns-04.txt
Status of this Memo Status of this Memo
@@ -15,13 +17,12 @@ Status of this Memo
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that other
other groups may also distribute working documents as Internet- groups may also distribute working documents as Internet-Drafts.
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http:// The list of current Internet-Drafts can be accessed at http://
@@ -30,16 +31,16 @@ Status of this Memo
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 4, 2003. This Internet-Draft will expire on October 1, 2003.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract Abstract
This document describes a method to verify SSH host keys using This document describes a method to verify SSH host keys using
DNSSEC. The document defines a new DNS resource record that contains DNSSEC. The document defines a new DNS resource record that contains
a standard SSH key fingerprint. a standard SSH key fingerprint.
@@ -50,9 +51,10 @@ Abstract
Schlyter & Griffin Expires May 4, 2003 [Page 1]
Internet-Draft DNS and SSH fingerprints November 2002 Schlyter & Griffin Expires October 1, 2003 [Page 1]
Internet-Draft DNS and SSH fingerprints April 2003
Table of Contents Table of Contents
@@ -60,21 +62,22 @@ Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. SSH Host Key Verification . . . . . . . . . . . . . . . . . 3 2. SSH Host Key Verification . . . . . . . . . . . . . . . . . 3
2.1 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Implementation notes . . . . . . . . . . . . . . . . . . . . 3 2.2 Implementation Notes . . . . . . . . . . . . . . . . . . . . 3
2.3 Fingerprint matching . . . . . . . . . . . . . . . . . . . . 4 2.3 Fingerprint Matching . . . . . . . . . . . . . . . . . . . . 4
2.4 Authentication . . . . . . . . . . . . . . . . . . . . . . . 4 2.4 Authentication . . . . . . . . . . . . . . . . . . . . . . . 4
3. The SSHFP resource record . . . . . . . . . . . . . . . . . 4 3. The SSHFP Resource Record . . . . . . . . . . . . . . . . . 4
3.1 The SSHFP RDATA format . . . . . . . . . . . . . . . . . . . 4 3.1 The SSHFP RDATA Format . . . . . . . . . . . . . . . . . . . 4
3.1.1 Algorithm number specification . . . . . . . . . . . . . . . 4 3.1.1 Algorithm Number Specification . . . . . . . . . . . . . . . 5
3.1.2 Fingerprint type specification . . . . . . . . . . . . . . . 5 3.1.2 Fingerprint Type Specification . . . . . . . . . . . . . . . 5
3.1.3 Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.3 Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2 Presentation format of the SSHFP RR . . . . . . . . . . . . 5 3.2 Presentation Format of the SSHFP RR . . . . . . . . . . . . 6
4. Security considerations . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . 6
5. IANA considerations . . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
References . . . . . . . . . . . . . . . . . . . . . . . . . 7 Normative References . . . . . . . . . . . . . . . . . . . . 8
Informational References . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8
A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
Full Copyright Statement . . . . . . . . . . . . . . . . . . 9 Intellectual Property and Copyright Statements . . . . . . . 10
@@ -105,35 +108,34 @@ Table of Contents
Schlyter & Griffin Expires October 1, 2003 [Page 2]
Schlyter & Griffin Expires May 4, 2003 [Page 2] Internet-Draft DNS and SSH fingerprints April 2003
Internet-Draft DNS and SSH fingerprints November 2002
1. Introduction 1. Introduction
The SSH [9] protocol provides secure remote login and other secure The SSH [5] protocol provides secure remote login and other secure
network services over an insecure network. The security of the network services over an insecure network. The security of the
connection relies on the server authenticating itself to the client. connection relies on the server authenticating itself to the client.
Server authentication is normally done by presenting the fingerprint Server authentication is normally done by presenting the fingerprint
of an unknown public key to the user for verification. If the user of an unknown public key to the user for verification. If the user
decides the fingerprint is correct and accepts the key, the key is decides the fingerprint is correct and accepts the key, the key is
saved locally and used for verification for all following saved locally and used for verification for all following
connections. While some security-conscious users do verify the connections. While some security-conscious users verify the
fingerprint out-of-band before accepting the key, the average user fingerprint out-of-band before accepting the key, many users blindly
usually blindly accepts the key presented. accepts the presented key.
The method described here can provide out-of-band verification by The method described here can provide out-of-band verification by
looking up a fingerprint of the server public key in the DNS [1][2] looking up a fingerprint of the server public key in the DNS [1][2]
and using DNSSEC [5] to verify the lookup. and using DNSSEC [4] to verify the lookup.
In order to distribute the fingerprint using DNS, this document In order to distribute the fingerprint using DNS, this document
defines a new DNS resource record to carry the fingerprint. defines a new DNS resource record to carry the fingerprint.
Basic understanding of the DNS system [1][2] and the DNS security Basic understanding of the DNS system [1][2] and the DNS security
extensions [5] is assumed by this document. extensions [4] is assumed by this document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
@@ -150,39 +152,60 @@ Internet-Draft DNS and SSH fingerprints November 2002
record(s) returned from DNS, the client MAY accept the identity of record(s) returned from DNS, the client MAY accept the identity of
the server. the server.
2.2 Implementation notes 2.2 Implementation Notes
Client implementors SHOULD to provide a configurable policy used to Client implementors SHOULD provide a configurable policy used to
select the order of methods used to verify a host key and which select the order of methods used to verify a host key. This document
fingerprints to trust ultimately, after user confirmation or not at defines one method: Fingerprint storage in DNS. Another method
all. defined in the SSH Architecture [5] uses local files to store keys
for comparison. Other methods that could be defined in the future
might include storing fingerprints in LDAP or other databases. A
configurable policy will allow administrators to determine which
Schlyter & Griffin Expires October 1, 2003 [Page 3]
Internet-Draft DNS and SSH fingerprints April 2003
methods they want to use and in what order the methods should be
prioritized. This will allow administrators to determine how much
trust they want to place in the different methods.
Schlyter & Griffin Expires May 4, 2003 [Page 3] One specific scenario for having a configurable policy is where
clients do not use fully qualified host names to connect to servers.
In this scenario, the implementation SHOULD verify the host key
against a local database before verifying the key via the fingerprint
returned from DNS. This would help prevent an attacker from injecting
a DNS search path into the local resolver and forcing the client to
connect to a different host.
Internet-Draft DNS and SSH fingerprints November 2002 2.3 Fingerprint Matching
2.3 Fingerprint matching
The public key and the SSHFP resource record are matched together by The public key and the SSHFP resource record are matched together by
comparing algorithm number and fingerprint. comparing algorithm number and fingerprint.
The public key algorithm and the SSHFP algorithm number MUST
match.
A message digest of the public key, using the message digest
algorithm specified in the SSHFP fingerprint type, MUST match the
SSH FP fingerprint.
2.4 Authentication 2.4 Authentication
A public key verified using this method MUST only be trusted if the A public key verified using this method MUST only be trusted if the
SSHFP RR used for verification was authenticated by a trusted SIG RR. SSHFP resource record (RR) used for verification was authenticated by
a trusted SIG RR.
Clients that do not validate the DNSSEC signatures themselves MUST Clients that do not validate the DNSSEC signatures themselves MUST
use a secure transport, e.g. TSIG [6], SIG(0) [7] or IPsec [4], use a secure transport, e.g. TSIG [8], SIG(0) [9] or IPsec [7],
between themselves and the entity performing the signature between themselves and the entity performing the signature
validation. validation.
3. The SSHFP resource record 3. The SSHFP Resource Record
The SSHFP resource record (RR) is used to store a fingerprint of a The SSHFP resource record (RR) is used to store a fingerprint of a
SSH public host key that is associated with a Domain Name System SSH public host key that is associated with a Domain Name System
@@ -190,11 +213,18 @@ Internet-Draft DNS and SSH fingerprints November 2002
The RR type code for the SSHFP RR is TBA. The RR type code for the SSHFP RR is TBA.
3.1 The SSHFP RDATA format 3.1 The SSHFP RDATA Format
The RDATA for a SSHFP RR consists of an algorithm number, fingerprint The RDATA for a SSHFP RR consists of an algorithm number, fingerprint
type and the fingerprint of the public host key. type and the fingerprint of the public host key.
Schlyter & Griffin Expires October 1, 2003 [Page 4]
Internet-Draft DNS and SSH fingerprints April 2003
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -206,23 +236,11 @@ Internet-Draft DNS and SSH fingerprints November 2002
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3.1.1 Algorithm number specification 3.1.1 Algorithm Number Specification
This algorithm number octet describes the algorithm of the public This algorithm number octet describes the algorithm of the public
key. The following values are assigned: key. The following values are assigned:
Schlyter & Griffin Expires May 4, 2003 [Page 4]
Internet-Draft DNS and SSH fingerprints November 2002
Value Algorithm name Value Algorithm name
----- -------------- ----- --------------
0 reserved 0 reserved
@@ -231,7 +249,7 @@ Internet-Draft DNS and SSH fingerprints November 2002
Reserving other types requires IETF consensus. Reserving other types requires IETF consensus.
3.1.2 Fingerprint type specification 3.1.2 Fingerprint Type Specification
The fingerprint type octet describes the message-digest algorithm The fingerprint type octet describes the message-digest algorithm
used to calculate the fingerprint of the public key. The following used to calculate the fingerprint of the public key. The following
@@ -249,9 +267,21 @@ Internet-Draft DNS and SSH fingerprints November 2002
3.1.3 Fingerprint 3.1.3 Fingerprint
The fingerprint is calculated over the public key blob as described The fingerprint is calculated over the public key blob as described
in [10]. in [6].
3.2 Presentation format of the SSHFP RR The message-digest algorithm is presumed to produce an opaque octet
string output which is placed as-is in the RDATA fingerprint field.
Schlyter & Griffin Expires October 1, 2003 [Page 5]
Internet-Draft DNS and SSH fingerprints April 2003
3.2 Presentation Format of the SSHFP RR
The presentation format of the SSHFP resource record consists of two The presentation format of the SSHFP resource record consists of two
numbers (algorithm and fingerprint type) followed by the fingerprint numbers (algorithm and fingerprint type) followed by the fingerprint
@@ -260,25 +290,17 @@ Internet-Draft DNS and SSH fingerprints November 2002
host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890 host.example. SSHFP 2 1 123456789abcdef67890123456789abcdef67890
4. Security considerations 4. Security Considerations
Currently, the amount of trust a user can realistically place in a Currently, the amount of trust a user can realistically place in a
server key is proportional to the amount of attention paid to server key is proportional to the amount of attention paid to
verifying that the key presented is actually the key at the server. verifying that the public key presented actually corresponds to the
If a user accepts a key without verifying the fingerprint with private key of the server. If a user accepts a key without verifying
something learned through a secured channel, the connection is the fingerprint with something learned through a secured channel, the
vulnerable to a man-in-the-middle attack. connection is vulnerable to a man-in-the-middle attack.
The approach suggested here shifts the burden of key checking from The approach suggested here shifts the burden of key checking from
each user of a machine to the key checking performed by the each user of a machine to the key checking performed by the
Schlyter & Griffin Expires May 4, 2003 [Page 5]
Internet-Draft DNS and SSH fingerprints November 2002
administrator of the DNS recursive server used to resolve the host administrator of the DNS recursive server used to resolve the host
information. Hopefully, by reducing the number of times that keys information. Hopefully, by reducing the number of times that keys
need to be verified by hand, each verification is performed more need to be verified by hand, each verification is performed more
@@ -289,7 +311,7 @@ Internet-Draft DNS and SSH fingerprints November 2002
The overall security of using SSHFP for SSH host key verification is The overall security of using SSHFP for SSH host key verification is
dependent on detailed aspects of how verification is done in SSH dependent on detailed aspects of how verification is done in SSH
implementations. One such aspect is in which order fingerprints are implementations. One such aspect is in which order fingerprints are
looked up (e.g. first checking local file and then SSHFP). We note looked up (e.g. first checking local file and then SSHFP). We note
that in addition to protecting the first-time transfer of host keys, that in addition to protecting the first-time transfer of host keys,
SSHFP can optionally be used for stronger host key protection. SSHFP can optionally be used for stronger host key protection.
@@ -302,7 +324,28 @@ Internet-Draft DNS and SSH fingerprints November 2002
As stated in Section 2.2, we recommend that SSH implementors provide As stated in Section 2.2, we recommend that SSH implementors provide
a policy mechanism to control the order of methods used for host key a policy mechanism to control the order of methods used for host key
verification. verification. One specific scenario for having a configurable policy
is where clients use unqualified host names to connect to servers. In
this case, we recommend that SSH implementations check the host key
against a local database before verifying the key via the fingerprint
returned from DNS. This would help prevent an attacker from injecting
Schlyter & Griffin Expires October 1, 2003 [Page 6]
Internet-Draft DNS and SSH fingerprints April 2003
a DNS search path into the local resolver and forcing the client to
connect to a different host.
A different approach to solve the DNS search path issue would be for
clients to use a trusted DNS search path, i.e., one not acquired
through DHCP or other autoconfiguration mechanisms. Since there is no
way with current DNS lookup APIs to tell whether a search path is
from a trusted source, the entire client system would need to be
configured with this trusted DNS search path.
Another dependency is on the implementation of DNSSEC itself. As Another dependency is on the implementation of DNSSEC itself. As
stated in Section 2.4, we mandate the use of secure methods for stated in Section 2.4, we mandate the use of secure methods for
@@ -314,12 +357,12 @@ Internet-Draft DNS and SSH fingerprints November 2002
after it is signed by the DNS zone administrator, the fingerprint after it is signed by the DNS zone administrator, the fingerprint
must be transferred securely from the SSH host administrator to the must be transferred securely from the SSH host administrator to the
DNS zone administrator. This could be done manually between the DNS zone administrator. This could be done manually between the
administrators or automatically using secure DNS dynamic update [8] administrators or automatically using secure DNS dynamic update [10]
between the SSH server and the nameserver. We note that this is no between the SSH server and the nameserver. We note that this is no
different from other key enrollment situations, e.g. a client different from other key enrollment situations, e.g. a client sending
sending a certificate request to a certificate authority for signing. a certificate request to a certificate authority for signing.
5. IANA considerations 5. IANA Considerations
IANA needs to allocate a RR type code for SSHFP from the standard RR IANA needs to allocate a RR type code for SSHFP from the standard RR
type space (type 44 requested). type space (type 44 requested).
@@ -327,14 +370,6 @@ Internet-Draft DNS and SSH fingerprints November 2002
IANA needs to open a new registry for the SSHFP RR type for public IANA needs to open a new registry for the SSHFP RR type for public
key algorithms. Defined types are: key algorithms. Defined types are:
Schlyter & Griffin Expires May 4, 2003 [Page 6]
Internet-Draft DNS and SSH fingerprints November 2002
0 is reserved 0 is reserved
1 is RSA 1 is RSA
2 is DSA 2 is DSA
@@ -349,47 +384,51 @@ Internet-Draft DNS and SSH fingerprints November 2002
Adding new reservations requires IETF consensus. Adding new reservations requires IETF consensus.
References Normative References
[1] Mockapetris, P., "Domain names - concepts and facilities", STD
13, RFC 1034, November 1987.
[2] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Schlyter & Griffin Expires October 1, 2003 [Page 7]
Levels", BCP 14, RFC 2119, March 1997.
[4] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security Document Internet-Draft DNS and SSH fingerprints April 2003
[1] Mockapetris, P., "Domain names - concepts and facilities", STD
13, RFC 1034, November 1987.
[2] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[4] Eastlake, D., "Domain Name System Security Extensions", RFC
2535, March 1999.
[5] Rinne, T., Ylonen, T., Kivinen, T. and S. Lehtinen, "SSH
Protocol Architecture", draft-ietf-secsh-architecture-13 (work
in progress), September 2002.
[6] Rinne, T., Ylonen, T., Kivinen, T., Saarinen, M. and S.
Lehtinen, "SSH Transport Layer Protocol",
draft-ietf-secsh-transport-15 (work in progress), September
2002.
Informational References
[7] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security Document
Roadmap", RFC 2411, November 1998. Roadmap", RFC 2411, November 1998.
[5] Eastlake, D., "Domain Name System Security Extensions", RFC [8] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
2535, March 1999.
[6] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
"Secret Key Transaction Authentication for DNS (TSIG)", RFC "Secret Key Transaction Authentication for DNS (TSIG)", RFC
2845, May 2000. 2845, May 2000.
[7] Eastlake, D., "DNS Request and Transaction Signatures ( [9] Eastlake, D., "DNS Request and Transaction Signatures (
SIG(0)s)", RFC 2931, September 2000. SIG(0)s)", RFC 2931, September 2000.
[8] Wellington, B., "Secure Domain Name System (DNS) Dynamic [10] Wellington, B., "Secure Domain Name System (DNS) Dynamic
Update", RFC 3007, November 2000. Update", RFC 3007, November 2000.
[9] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T J. and S.
Lehtinen, "SSH Transport Layer Protocol", work in progress
draft-ietf-secsh-architecture-13.txt, September 2002.
[10] Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T J. and S.
Lehtinen, "SSH Transport Layer Protocol", work in progress
draft-ietf-secsh-transport-15.txt, September 2002.
Schlyter & Griffin Expires May 4, 2003 [Page 7]
Internet-Draft DNS and SSH fingerprints November 2002
Authors' Addresses Authors' Addresses
@@ -403,6 +442,13 @@ Authors' Addresses
URI: http://www.crt.se/~jakob/ URI: http://www.crt.se/~jakob/
Schlyter & Griffin Expires October 1, 2003 [Page 8]
Internet-Draft DNS and SSH fingerprints April 2003
Wesley Griffin Wesley Griffin
Network Associates Laboratories Network Associates Laboratories
15204 Omega Drive Suite 300 15204 Omega Drive Suite 300
@@ -442,21 +488,56 @@ Appendix A. Acknowledgements
Schlyter & Griffin Expires May 4, 2003 [Page 8]
Internet-Draft DNS and SSH fingerprints November 2002
Schlyter & Griffin Expires October 1, 2003 [Page 9]
Internet-Draft DNS and SSH fingerprints April 2003
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
@@ -466,15 +547,24 @@ Full Copyright Statement
English. English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Schlyter & Griffin Expires October 1, 2003 [Page 10]
Internet-Draft DNS and SSH fingerprints April 2003
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement Acknowledgement
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
@@ -498,6 +588,29 @@ Acknowledgement
Schlyter & Griffin Expires May 4, 2003 [Page 9]
Schlyter & Griffin Expires October 1, 2003 [Page 11]