IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: WG Session Summary



Secure Shell (secsh) WG Session summary:

We met for one hour on Tuesday afternoon.

Document status:

One document, draft-ietf-secsh-dns-05.txt has emerged from IESG review
and is now in the RFC editor queue.  (a first for this group); it also
got a DNS RR type code assigned by IANA.

The core protocol drafts were returned from the IESG with a number of
minor comments; we are in the process of resolving the technical
issues and will respin once these are resolved.

One other draft (draft-ietf-secsh-auth-kbdinteract-05.txt) was also
returned from the IESG with comments.

The Diffie-Hellman Group Exchange negotiation draft has just been
passed to the IESG.

Three other drafts are in WG Last Call (break, newmodes, and
publickeyfile).  "newmodes" is probably the most interesting as it
suggests several new cryptographic modes which fix minor cryptoraphic
defects in the ssh transport mode.

A new draft on SSH/SCP/SFTP URI formats was recently submitted and is
almost ready for review by the URI doctors.

proposed issue resolutions:
	- transport draft needs to move 3DES, AES references to normative
	- group sizes:
		preliminary discussions suggest that it will take some time to
		nail down new grops; we will instead put a note
		in the security considerations section 
		mentioning that group 1 is somewhat small, and
		additional groups will be specified in subsequent documents.
	- confusing/conflicting text with regards to version string
		line termination: 
		proposed text sent to WG list; needs review.
	- 3des effective strength:
		in security considerations section, mention that there is 
		a known but not practical 2^112 time 2^112 space
		attack which makes 3des slightly weaker than the 2^128 bit
		effective strength threshold; existing deployments and 
		lack of experience with newer ciphers make demoting 3des
		imprudent at this time.
	- move AES to REQUIRED?
		there does not seem to be any objection to this.
	- asymmetric algorithms
		change document to say that the symmetric algorithms
		used SHOULD be the same in each direction but there 
		may be environments where it makes sense to decouple them.
		Nicolas Williams pointed out that this also applies to 
		language negotiation.
	- default login timeouts:
		leave them alone; they're just defaults.
	- internationalization of passwords.
		something like the proposed text from the AD was considered 
		and rejected several years ago; leave it alone.
	- confusing/conflicting test with respect to "implicit server
		authentication"
		jhutz will propose replacement text soon.

near-term action items:

 - all document authors should contact the WG chair to arrange for write
access to the issue tracker.

 - wg chair to send summary the proposed resolution of core draft
issues to the WG list for discussion/consensus call.

 - jhutz will provide clarifying text relating to "implicit server
authentication" in the transport draft.

 - once resolved, document editor will re-spin core drafts

 - wg chair will close out WGLC on break, publickeyfile, and newmodes 
   and request publication when appropriate.

 - jhutz will respin the gsskeyex draft to include additional DH
groups besides oakley group 1 (as well as redo the security
considerations section)

 - wg chair will do WGLC on gsskeyex once respun



	



Home | Main Index | Thread Index | Old Index