IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: New IDs
On Sunday, May 23, 2004 15:58:10 +1000 Damien Miller <djm%mindrot.org@localhost>
wrote:
Chris Lonvick wrote:
http://www.employees.org/~lonvick/ssh/transport-16-18.html
Section 7.1 is seriously broken by these changes. The new text reads:
The "diffie-hellman-group1-sha1" method specifies Diffie-Hellman key
exchange with SHA-1 as HASH, and Oakley group 14 [RFC3526] (2048-bit
MODP Group). It is included below in hexadecimal and decimal.
"diffie-hellman-group1-sha1" isn't rfc3526 group 14, it is rfc2904
group 2.
RFC2904 is "AAA Authorization Framework"; it does not define any groups.
It took me a while to figure out what the typo was; the correct reference
is to RFC2409 section 6.2.
This group represented by this name can't change without
breaking compatibility with every SSH2 implementation that uses it.
Agreed.
Worse, the changed wording doesn't even agree with the numeric group
immediately below it, which remains rfc2904/group2.
Agreed. The wording should be fixed:
- Oakley group 14 [RFC3526] (2048-bit MODP Group).
+ Oakley group 2 [RFC2409] (section 6.2).
Additionally, IMHO the group should _not_ be copied in the document.
Verify that the value in RFC2409 is correct, and incorporate it by
reference. This precludes any possibility of confusion arising as a result
of an incorrect value appearing in our document.
The right way to change would be to recommend the use of DH-GEX or
adopt Peter Gutmann's "diffie-hellman-groupN-sha1" proposal to make
a "diffie-hellman-group14-sha1" (though I'd prefer a shorter name,
while we are making changes).
I was under the impression that we had already been over this issue, and
that we were going to recommend implementation of DH-GEX, and that that
satisfied the IESG's concern.
To retain interoperability with the current installed base, support
for the current group would have to stay a MUST regardless.
I agree. I would not object to also making DH-GEX a MUST.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+%cmu.edu@localhost>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
Home |
Main Index |
Thread Index |
Old Index