Re: [psg.com #460] IESG - Transport - Oakley

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Tue, Jun 15, 2004 at 07:57:14AM +1000, Damien Miller wrote:
> Nicolas Williams wrote:
> >>I don't know, but it certainly would be desirable to stick with sha1.  For 
> >>one thing, it means the new method can be specified in one sentence, and as 
> >>you note, implemented very nearly as easily.
> > 
> > DH-GEX uses SHA-1, so if SHA-1 is not appropriate for DH group 14 then
> > it doesn't seem appropriate for DH-GEX either...
> 
> If the issue is that sha1 only returns 160 bits, insufficient to fully
> populate the keys for aes192-cbc and aes256-cbc then I don't believe
> that this is a practical prolem (maybe in ~70 years) and certainly not
> one to delay publication over.

I don't think it's a practical problem now, no.

But parametrizing the SSHv2 DH kex (diffie-hellman-group<N>-<hash>)
shouldn't hold up publication as long as we quickly reach consensus
on the meaning of <N> and <hash>.

I'm not opposed to limitting <hash> to SHA-1 to begin with.

Nico
--