draft-ietf-secsh-scp-sftp-ssh-uri-03.txt   draft-ietf-secsh-scp-sftp-ssh-uri-04.txt 
Network Working Group J. Salowey Network Working Group J. Salowey
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Expires: December 3, 2005 S. Suehring Expires: August 5, 2006 S. Suehring
June 2005 February 1, 2006
Uniform Resource Identifier (URI) Scheme for Secure File Transfer Uniform Resource Identifier (URI) Scheme for Secure File Transfer
Protocol (SFTP) and Secure Shell (SSH) Protocol (SFTP) and Secure Shell (SSH)
draft-ietf-secsh-scp-sftp-ssh-uri-03.txt draft-ietf-secsh-scp-sftp-ssh-uri-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 3, 2005. This Internet-Draft will expire on August 5, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document describes the Uniform Resource Identifiers used to This document describes the Uniform Resource Identifiers used to
locate resources for the Secure File Transfer Protocol (SFTP) and the locate resources for the Secure File Transfer Protocol (SFTP) and the
Secure Shell (SSH) protocols. The document describes the generic Secure Shell (SSH) protocols. The document describes the generic
syntax involved in URI definitions as well as specific definitions syntax involved in URI definitions as well as specific definitions
for each protocol. These specific definitions may include user for each protocol. These specific definitions may include user
credentials such as username and also may include other parameters credentials such as username and also may include other parameters
such as host key fingerprint. In addition, security considerations such as host key fingerprint. In addition, security considerations
and examples are also provided within this document. and examples are also provided within this document.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. General Syntax . . . . . . . . . . . . . . . . . . . . . . . . 3 2. General Syntax . . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Secure Shell (SSH) URI . . . . . . . . . . . . . . . . . . 3 3. Secure Shell (SSH) URI . . . . . . . . . . . . . . . . . . . 3
2.2 Secure File Transfer Protocol (SFTP) URI . . . . . . . . . 4 3.1 Scheme Name . . . . . . . . . . . . . . . . . . . . . . . 3
3. Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 Status . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1 SSH connection parameters . . . . . . . . . . . . . . . . 5 3.3 URI Scheme Syntax . . . . . . . . . . . . . . . . . . . . 3
3.2 SFTP Parameters . . . . . . . . . . . . . . . . . . . . . 5 3.4 URI Semantics . . . . . . . . . . . . . . . . . . . . . . 4
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.5 Encoding Considerations . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 3.6 Protocols using this URI scheme . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 3.7 Security Considerations . . . . . . . . . . . . . . . . . 5
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 3.8 Contact . . . . . . . . . . . . . . . . . . . . . . . . . 5
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Secure File Transfer Protocol (SFTP) URI . . . . . . . . . . 5
8.1 Normative References . . . . . . . . . . . . . . . . . . . 7 4.1 Scheme Name . . . . . . . . . . . . . . . . . . . . . . . 5
8.2 Informative References . . . . . . . . . . . . . . . . . . 8 4.2 Status . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 8 4.3 URI Scheme Syntax . . . . . . . . . . . . . . . . . . . . 5
Intellectual Property and Copyright Statements . . . . . . . . 10 4.4 URI Semantics . . . . . . . . . . . . . . . . . . . . . . 6
4.5 Encoding Considerations . . . . . . . . . . . . . . . . . 6
4.6 Protocols using this URI scheme . . . . . . . . . . . . . 6
4.7 Security Considerations . . . . . . . . . . . . . . . . . 6
4.8 Contact . . . . . . . . . . . . . . . . . . . . . . . . . 7
5. Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1 SSH connection parameters . . . . . . . . . . . . . . . . 7
5.2 SFTP Parameters . . . . . . . . . . . . . . . . . . . . . 7
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . 9
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1 Normative References . . . . . . . . . . . . . . . . . . 9
10.2 Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 10
Intellectual Property and Copyright Statements . . . . . . . 11
1. Introduction 1. Introduction
This document describes the Uniform Resource Identifiers (URIs) to be This document describes the Uniform Resource Identifiers (URIs) to be
used with the Secure File Transfer Protocol (SFTP) [I-D.ietf-secsh- used with the Secure File Transfer Protocol (SFTP) [I-D.ietf-secsh-
filexfer] and Secure Shell (SSH) [I-D.ietf-secsh-architecture] filexfer] and Secure Shell (SSH) [RFC4251] protocols.
protocols.
2. General Syntax 2. General Syntax
A hierarchical URI shall consist of the scheme and the scheme A hierarchical URI shall consist of the scheme and the scheme
specific portion separated by a colon ":" followed by the specific portion separated by a colon ":" followed by the
hierarchical part, as discussed in [RFC3986]. This specification hierarchical part, as discussed in [RFC3986]. This specification
uses the definitions "port", "host", "scheme", "userinfo", "path- uses the definitions "port", "host", "scheme", "userinfo", "path-
empty", "path-abempty" and "authority" from [RFC3986]. This document empty", "path-abempty" and "authority" from [RFC3986]. This document
follows the ABNF notation defined in [RFC2234]. follows the ABNF notation defined in [RFC4234].
2.1 Secure Shell (SSH) URI 3. Secure Shell (SSH) URI
This section describes the SSH URI and contains the information
necessary to register the URI according to the template in
[I-D.hansen-2717bis-2718bis-uri-guidelines].
3.1 Scheme Name
The Secure Shell scheme name is "ssh".
3.2 Status
The requested status of the SSH URI is "permanent".
3.3 URI Scheme Syntax
The Secure Shell (SSH) scheme shall consist of the scheme name "ssh" The Secure Shell (SSH) scheme shall consist of the scheme name "ssh"
followed by a colon ":" followed by hier-part defined in [RFC3986]. followed by a colon ":" followed by hier-part defined in [RFC3986].
This URL does not designate a data object, but rather an interactive The SSH URI ABNF definition follows.
service. The SSH URI ABNF definition follows.
sshURI = "ssh:" hier-part sshURI = "ssh:" hier-part
hier-part = "//" authority ( path-empty / path-abempty ) hier-part = "//" authority path-abempty
authority = [ [ userinfo-ssh ] "@" ] host [ ":" port ] authority = [ [ ssh-info ] "@" ] host [ ":" port ]
host = <as specified in [RFC3986]> host = <as specified in [RFC3986]>
port = <as specified in [RFC3986]> port = <as specified in [RFC3986]>
userinfo-ssh = [ userinfo ] [";" c-param *("," c-param)]
userinfo = <as specified in [RFC3986]>
path-empty = <as specified in [RFC3986]>
path-abempty = <as specified in [RFC3986]> path-abempty = <as specified in [RFC3986]>
ssh-info = [ userinfo ] [";" c-param *("," c-param)]
userinfo = <as specified in [RFC3986]>
c-param = paramname "=" paramvalue c-param = paramname "=" paramvalue
paramname = *( ALPHA / DIGIT / "-" / "." / ":" ) paramname = *( ALPHA / DIGIT / "-" )
paramvalue = *( ALPHA / DIGIT / "-" / "." / ":" ) paramvalue = *( ALPHA / DIGIT / "-" )
The following reserved characters from [RFC3986] are used as
delimiters within the SSH URI: ";", ",", ":", and "=" . They must
not be escaped when used as delimiters and must be escaped when the
appear in other uses.
The first component of the scheme specific portion MAY include 3.4 URI Semantics
credentials (userinfo-ssh) consisting of a username followed by
optional parameters. The convention of optionally including the
password separated from the username by a ":" in the URI is NOT
RECOMMENDED and is deprecated in accordance with [RFC3986].
One or more optional connection parameters (conn-parameters) may be The intended usage of the SSH URI is to establish an interactive SSH
specified within the userinfo section of the URI. These conn- terminal session with the host defined in the authority portion of
parameters are separated from the userinfo by a semi-colon ";". The the URI. The only operation defined for the URI is to establish an
only connection parameter defined in this document is for the host- SSH terminal session with a remote host.
key fingerprint described in section Section 3.1. It is possible
that additional parameters be defined in the future. If a connection
parameter is not understood it SHOULD be ignored.
If the userinfo or connection parameters are present the at-sign "@" If the userinfo or connection parameters are present the at-sign "@"
shall precede the authority section of the URI. Optionally, the shall precede the authority section of the URI. Optionally, the
authority section MAY also include the port preceded by a colon ":". authority section MAY also include the port preceded by a colon ":".
If the port is not included, the default port is assumed. The host SHOULD be a non-empty string. If the port is not included,
the default port is assumed.
2.2 Secure File Transfer Protocol (SFTP) URI The ssh-info portion of the URI MAY include credentials consisting of
a username followed by optional parameters. The convention of
including the password separated from the username by a ":" in the
URI is NOT RECOMMENDED and is deprecated in accordance with
[RFC3986].
The SFTP URL scheme is used to designate files and directory listings One or more optional connection parameters (c-param) may be specified
to retrieve on Internet hosts accessible using the SFTP protocol within the userinfo section of the URI. These conn-parameters are
described in [I-D.ietf-secsh-filexfer]. For Secure File Transfer separated from the userinfo by a semi-colon ";". The only connection
Protocol (SFTP), the scheme portion shall consist of the scheme name parameter defined in this document is for the host-key fingerprint
"sftp". SFTP URIs ABNF definition is given below. described in Section 5.1. It is possible that additional parameters
be defined in the future. If a connection parameter is not
understood it SHOULD be ignored.
The SSH URI does not define a usage for a non-empty path element. If
a non-empty path element is included in an SSH URI then it SHOULD be
ignored.
3.5 Encoding Considerations
The encoding of the "host" portion of the URI is as defined in
[RFC3986]. The encoding of the connection parameters is described in
Section 5.1
3.6 Protocols using this URI scheme
This URI scheme is used by the SSH protocol version 2 defined in
[RFC4251].
3.7 Security Considerations
See Section 8.
3.8 Contact
This document is a product of the SSH working group.
4. Secure File Transfer Protocol (SFTP) URI
This section describes the Secure File Transfer protocol URI and
contains the information necessary to register the URI according to
the template in [I-D.hansen-2717bis-2718bis-uri-guidelines].
4.1 Scheme Name
The Secure File Transfer Protocol (SFTP) scheme name is "sftp".
4.2 Status
The requested status of the SFTP URI is "permanent".
4.3 URI Scheme Syntax
The SFTP URI scheme shall consist of the scheme name "sftp" followed
by a colon ":" followed by hier-part defined in [RFC3986]. The SFTP
URI ABNF definition follows.
sftpURI = "sftp:" hier-part sftpURI = "sftp:" hier-part
hier-part = "//" authority [ path ] [ ";" s-param *("," s-param)] hier-part = "//" authority path [";" s-param *("," s-param)]
path = <as specified in [RFC3986]> path = path-abempty
authority = [ userinfo-ssh "@" ] host [ ":" port ] path-abempty = <as specified in [RFC3986]>
authority = [ ssh-info "@" ] host [ ":" port ]
host = <as specified in [RFC3986]> host = <as specified in [RFC3986]>
port = <as specified in [RFC3986]> port = <as specified in [RFC3986]>
userinfo-ssh = [ userinfo ] [";" c-param *("," c-param)] ssh-info = [ userinfo ] [";" c-param *("," c-param)]
userinfo = <as specified in [RFC3986]> userinfo = <as specified in [RFC3986]>
c-param = paramname "=" paramvalue c-param = paramname "=" paramvalue
paramname = *( ALPHA / DIGIT / "-" / "." / ":" ) paramname = *( ALPHA / DIGIT / "-" )
paramvalue = *( ALPHA / DIGIT / "-" / "." / ":" ) paramvalue = *( ALPHA / DIGIT / "-" )
s-param = paramname "=" paramvalue s-param = paramname "=" paramvalue
The authority part is the same as that defined in the SSH scheme.
The following reserved characters from [RFC3986] are used as
delimiters within the SFTP URI: ";", ",", ":", "=" and "/". They
must not be escaped when used as delimiters and must be escaped when
the appear in other uses.
4.4 URI Semantics
The intended usage of the SFTP URI is to retrieve the contents of a
file or directory listing. The only operation defined for the URI is
this "GET" operation.
The authority portion of the SFTP URL is the same as for the SSH URL The authority portion of the SFTP URL is the same as for the SSH URL
defined in section Section 2.1. The URIs for SFTP are hierarchical defined in Section 3.4. The URIs for SFTP are hierarchical URIs
URIs where each component of the path consists of path elements where each component of the path consists of path elements separated
separated by a '/'. This formatting is meant to represent the path by a '/'. This formatting is meant to represent the path information
information as in Section 5 of [I-D.ietf-secsh-filexfer]. If a path as in Section 5 of [I-D.ietf-secsh-filexfer]. The SFTP
starts with a %2F (a URL-encoded "/") then it is relative to the root implementation determines where the root of the path in the URI is.
of the file system. Paths starting with any other character are It is RECOMMENDED that path be interpreted as an absolute path from
relative to the user's home or default directory. Note that the the root of the file system. An implementation MAY use the tilde
characters "/" and ";" are reserved and must be encoded. Path ("~") character as the first path element in the path to denote a
segments SHOULD be represented in the UTF-8 [RFC3629] character set path relative to the user's home directory. Note that dot segments
and clients SHOULD NOT disable UTF-8 translation on the server with
the filename-translation-control extension. The shortest valid UTF-8
encoding of the UNICODE data MUST be used. Note that dot segments
"." and ".." are only interpreted within the URI path hierarchy and "." and ".." are only interpreted within the URI path hierarchy and
are removes as part of the URL resolution process defined in are removed as part of the URL resolution process defined in
[RFC3986]. [RFC3986].
Following the path additional sftp specific parameters may be Following the path additional sftp specific parameters may be
specified. These are described in section Section 3.2. It is specified. These are described in Section 5.2. It is possible that
possible that additional parameters be defined in the future. If a additional parameters be defined in the future. If a sftp parameter
sftp parameter is not understood it SHOULD be ignored. is not understood it SHOULD be ignored.
3. Parameters 4.5 Encoding Considerations
3.1 SSH connection parameters Path segments SHOULD be represented in the UTF-8 [RFC3629] character
set and clients SHOULD NOT disable UTF-8 translation on the server
with the filename-translation-control extension. The shortest valid
UTF-8 encoding of the UNICODE data MUST be used. The encoding of the
"host" portion of the URI is as defined in [RFC3986]. The encoding
of the connection parameters is described in Section 5.1 and the
encoding of SFTP parameters is described in Section 5.2.
4.6 Protocols using this URI scheme
This URI scheme is used by the SFTP protocol defined in [I-D.ietf-
secsh-filexfer].
4.7 Security Considerations
The SFTP URI retrieves data from a remote host. Even though the
connection is secured by SFTP care should be taken in handling and
processing data retrieved from potentially unknown sources to avoid
malicious content from an attacker that may have been placed on the
host. For additional security considerations see Section 8.
4.8 Contact
This document is a product of the SSH working group.
5. Parameters
5.1 SSH connection parameters
The following parameters are associated with an SSH connection and The following parameters are associated with an SSH connection and
are applicable to SSH and SFTP. All parameters are optional and MUST are applicable to SSH and SFTP. All parameters are optional and MUST
NOT overwrite configured defaults. Individual parameters are NOT overwrite configured defaults. Individual parameters are
separated by a comma (","). separated by a comma (",").
fingerprint fingerprint
The fingerprint parameter contains the fingerprint of the host key The fingerprint parameter contains the fingerprint of the host key
for the host specified in the URL. The fingerprint is encoded as for the host specified in the URL. The fingerprint is encoded as
host-key-alg-fingerprint. Host-key-alg is host public key host-key-alg-fingerprint. Host-key-alg is host public key
algorithm defined in [I-D.ietf-secsh-transport] and the algorithm defined in [RFC4253] and the fingerprint format is
fingerprint format is [I-D.ietf-secsh-publickeyfile]. For use in [I-D.ietf-secsh-publickeyfile]. For use in a URI, the fingerprint
a URI, the fingerprint shall use a single dash "-" as a separator shall use a single dash "-" as a separator instead of the colon
instead of the colon ":" as described in [I-D.ietf-secsh- ":" as described in [I-D.ietf-secsh-publickeyfile]. This
publickeyfile]. This parameter MUST NOT overwrite a key that is parameter MUST NOT overwrite a key that is already configured for
already configured for the host. The fingerprint MAY be used to the host. The fingerprint MAY be used to validate the
validate the authenticity of the host key if the URL was obtained authenticity of the host key if the URL was obtained from an
from an authenticated source with its integrity protected. If authenticated source with its integrity protected. If this
this parameter is not included then the validity of the host key parameter is not included then the host key is validated using
is validated using another method. See Security Considerations another method. See Security Considerations section for
section for additional considerations. There MUST be only one additional considerations. There MUST be only one fingerprint
fingerprint parameter per host-key-alg for a given URL. parameter present in a given URL.
3.2 SFTP Parameters 5.2 SFTP Parameters
The SFTP parameters determine how to handle the file transfer The SFTP parameters determine how to handle the file transfer
character translation. Additional parameters MAY be used. character translation. Additional parameters MAY be used.
typecode typecode
The typecode identifies the type of file which determines how it The typecode identifies the type of file which determines how it
will be treated. The name for the typecode attribute is "type". will be treated. The name for the typecode attribute is "type".
The value "i" indicates that a file should be transmitted without The value "i" indicates that a file should be transmitted without
character conversion performed. The value "a" indicates that the character conversion performed. The value "a" indicates that the
file should be opened with the SSH_FXF_ACCESS_TEXT_MODE flag set file should be opened with the SSH_FXF_ACCESS_TEXT_MODE flag set
so it is converted to the canonical newline convention in use. so it is converted to the canonical newline convention in use.
The value "d" indicates that the path is a directory and should be The value "d" indicates that the path is a directory and should be
opened using SSH_FXP_OPENDIR. opened using SSH_FXP_OPENDIR.
4. Examples 6. Examples
The following section shows basic examples of URLs for each protocol. The following section shows basic examples of URLs for each protocol.
This section should not be considered to include all possible This section should not be considered to include all possible
combinations of URLs for each protocol. combinations of URLs for each protocol.
An SSH connection to the host host.example.com on the standard port An SSH connection to the host host.example.com on the standard port
using username user. using username user.
ssh://user@host.example.com ssh://user@host.example.com
skipping to change at page 6, line 29 skipping to change at page 8, line 29
ssh://user@host.example.com:2222 ssh://user@host.example.com:2222
An SSH connection to the host having the specified host-key An SSH connection to the host having the specified host-key
fingerprint at host.example.com on the standard port using username fingerprint at host.example.com on the standard port using username
user. user.
ssh://user;fingerprint=ssh-dss-c1-b1-30-29-d7-b8-de-6c-97- ssh://user;fingerprint=ssh-dss-c1-b1-30-29-d7-b8-de-6c-97-
77-10-d7-46-41-63-87@host.example.com 77-10-d7-46-41-63-87@host.example.com
Retrieve file.txt from the user's home directory on the host at Retrieve file.txt from the user's home directory on the host at
host.example.com using SFTP using username user. host.example.com using SFTP using username user. This example
assumes that the implementation supports the indication of a path
relative to the home directory using a leading tilde.
sftp://user@host.example.com/file.txt sftp://user@host.example.com/~/file.txt
Retrieve file.txt from the absolute path /dir/path on the host at Retrieve file.txt from the absolute path /dir/path on the host at
host.example.com using SFTP using username user. host.example.com using SFTP using username user.
sftp://user@host.example.com/%2Fdir/path/file.txt sftp://user@host.example.com/dir/path/file.txt
Retrieve the directory listing of user's home directory on the host Retrieve the directory listing of user's home directory on the host
having the specified host-key fingerprint at host.example.com using having the specified host-key fingerprint at host.example.com using
SFTP. SFTP.
sftp://user;fingerprint=ssh-dss-c1-b1-30-29-d7-b8-de-6c-97- sftp://user;fingerprint=ssh-dss-c1-b1-30-29-d7-b8-de-6c-97-
77-10-d7-46-41-63-87@host.example.com:2222/;type=d 77-10-d7-46-41-63-87@host.example.com:2222/;type=d
5. IANA Considerations 7. IANA Considerations
This document provides the information required in the URL Section 3 and Section 4 provide the information required in the URL
registration template in accordance with [RFC2717]. registration template in accordance with [I-D.hansen-2717bis-2718bis-
uri-guidelines].
6. Security Considerations 8. Security Considerations
Passwords SHOULD NOT be included within the URI it should be noted Passwords SHOULD NOT be included within the URI as doing so poses a
that doing so poses a security risk. Since URIs are usually sent in security risk. URIs are usually sent in the clear with no encryption
the clear with no encryption or other security, any password or other or other security, any password or other credentials included in the
credentials included in the userinfo could be seen by a potential userinfo could be seen by a potential attacker.
attacker.
Although the host-key fingerprint is not confidential information, Although the host-key fingerprint is not confidential information,
care must be taken in handling fingerprints associated with URIs care must be taken in handling fingerprints associated with URIs
because URIs transmitted or stored without protection may be modified because URIs transmitted or stored without protection may be modified
by an attacker. In general an implementation cannot determine the by an attacker. In general an implementation cannot determine the
source of a URI so a fingerprint received in a URI should have no source of a URI so a fingerprint received in a URI should have no
more trust associated with it than a raw public key received in the more trust associated with it than a raw public key received in the
SSH protocol itself. If a locally configured key exists for the SSH protocol itself. If a locally configured key exists for the
server already it MUST NOT be automatically overwritten with server already it MUST NOT be automatically overwritten with
information from the URI. If the host is unknown then the information from the URI. If the host is unknown then the
implementation should treat the fingerprint received with the same implementation should treat the fingerprint received with the same
caution that it does with any unknown public key. The client MAY caution that it does with any unknown public key. The client MAY
offer the fingerprint and URI for external validation before allowing offer the fingerprint and URI for external validation before allowing
a connection based on this information. If the client chooses to a connection based on this information. If the client chooses to
make a connection based on the URI information and it finds that the make a connection based on the URI information and it finds that the
public key in the URI and the public key offered by the server do not fingerprint in the URI and the public key offered by the server do
match then it SHOULD provide a warning and provide a means to abort not match then it SHOULD provide a warning and provide a means to
the connection. Sections 4.1 and 9.2.4 of [I-D.ietf-secsh- abort the connection. Sections 4.1 and 9.2.4 of [RFC4251] provide a
architecture] provide a good discussion of handling public keys good discussion of handling public keys received in the SSH protocol.
received in the SSH protocol.
7. Acknowledgements
Ben Harris has provided much useful feedback in the preparation of 9. Acknowledgements
this document.
8. References Ben Harris, Tom Petch and the members of the SSH working group have
provided much useful feedback in the preparation of this document.
8.1 Normative References 10. References
[I-D.ietf-secsh-architecture] 10.1 Normative References
Ylonen, T. and C. Lonvick, "SSH Protocol Architecture",
draft-ietf-secsh-architecture-22 (work in progress),
March 2005.
[I-D.ietf-secsh-filexfer] [I-D.ietf-secsh-filexfer]
Galbraith, J., "SSH File Transfer Protocol", Galbraith, J. and O. Saarenmaa, "SSH File Transfer
draft-ietf-secsh-filexfer-09 (work in progress), Protocol", draft-ietf-secsh-filexfer-12 (work in
June 2005. progress), January 2006.
[I-D.ietf-secsh-publickeyfile] [I-D.ietf-secsh-publickeyfile]
Galbraith, J. and R. Thayer, "SSH Public Key File Format", Galbraith, J. and R. Thayer, "SSH Public Key File Format",
draft-ietf-secsh-publickeyfile-09 (work in progress), draft-ietf-secsh-publickeyfile-11 (work in progress),
August 2005. January 2006.
[I-D.ietf-secsh-transport]
Lonvick, C., "SSH Transport Layer Protocol",
draft-ietf-secsh-transport-24 (work in progress),
March 2005.
[RFC2234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[RFC2717] Petke, R. and I. King, "Registration Procedures for URL
Scheme Names", BCP 35, RFC 2717, November 1999.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005. RFC 3986, January 2005.
8.2 Informative References [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 4234, October 2005.
[RFC2718] Masinter, L., Alvestrand, H., Zigmond, D., and R. Petke, [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
"Guidelines for new URL Schemes", RFC 2718, November 1999. Protocol Architecture", RFC 4251, January 2006.
[RFC3305] Mealling, M. and R. Denenberg, "Report from the Joint W3C/ [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
IETF URI Planning Interest Group: Uniform Resource Transport Layer Protocol", RFC 4253, January 2006.
Identifiers (URIs), URLs, and Uniform Resource Names
(URNs): Clarifications and Recommendations", RFC 3305, 10.2 Informative References
August 2002.
[I-D.hansen-2717bis-2718bis-uri-guidelines]
Hansen, T., "Guidelines and Registration Procedures for
new URI Schemes",
draft-hansen-2717bis-2718bis-uri-guidelines-06 (work in
progress), October 2005.
Authors' Addresses Authors' Addresses
Joseph Salowey Joseph Salowey
Cisco Systems Cisco Systems
2901 3rd Ave 2901 3rd Ave
Seattle, WA 98121 Seattle, WA 98121
US US
Email: jsalowey@cisco.com Email: jsalowey@cisco.com
skipping to change at page 10, line 41 skipping to change at page 11, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 48 change blocks. 
143 lines changed or deleted 245 lines changed or added

This html diff was produced by rfcdiff 1.28, available from http://www.levkowetz.com/ietf/tools/rfcdiff/