Re: [psg.com #460] IESG - Transport - Oakley

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Sun, Jun 13, 2004 at 03:28:14PM -0400, Jeffrey Hutzelman wrote:
> On Sunday, June 13, 2004 22:53:49 +1000 Damien Miller <djm%mindrot.org@localhost> 
> wrote:
> >Is it still appropriate to use sha1 (rather than sha256) with group
> >14? Staying with sha1 has the advantage that it reduces the number of
> >cryptographic algorithms that must be included in a minimalistic
> >implementation of the protocol.
> 
> I don't know, but it certainly would be desirable to stick with sha1.  For 
> one thing, it means the new method can be specified in one sentence, and as 
> you note, implemented very nearly as easily.

DH-GEX uses SHA-1, so if SHA-1 is not appropriate for DH group 14 then
it doesn't seem appropriate for DH-GEX either...

> It might be desirable to RECOMMEND or even REQUIRE that 
> diffie-hellman-group14-sha1 be listed _before_ diffie-hellman-group1-sha1, 
> so that its use is preferred when both sides support it.  And of course, I 
> imagine that implementors will provide policy options to turn off support 
> for either group.

Why not generalize diffie-hellman-group<N>-<hash> and recommend group 14
w/ SHA-1?

Then when adding new ciphers we can ensure that eash new cipher has a
recommended group (and recommended group size for DH-GEX).

And then recommend that peers advertise first groups of the recommended
size for the cipher with the largest key size.

I don't mean to replace DH-GEX by this suggestion, just a quick and easy
way to satisfy the IESG's concerns without requiring much effort on the
part of any implementors, particularly ones that don't implement DH-GEX.

One result of using standardized DH groups is a higher degree of
confidence, for clients, in the quality of selected groups over groups
offered by servers in DH-GEX.

Nico
--