Since Encaya now supports off-chain TLSA records (used for TLS server authentication), this begs a question: can something similar be done for SSHFP records (used for SSH server authentication)? In principle, the main things we would need to pull this off are: Some way to embed a blob of data inside an SSH public key. Some way for that blob to get passed to code we control (during the SSH handshake). Some way to mark a public key as trusted (also during the SSH handshake). For requirement 1, ...
