IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [psg.com #460] IESG - Transport - Oakley - new proposal



Chris Lonvick wrote:
> Hi,
> 
> On Tue, 22 Jun 2004, [iso-8859-1] Niels M?ller wrote:
> 
> 
>>Chris Lonvick <clonvick%cisco.com@localhost> writes:
>>
>>
>>>The proposed new section in [ARCH] will say:
>>>
>>>   As stated in Section 7.1 of [TRANS], each device will send a list of
>>>   preferred methods for key exchange.  The most-preferred method is the
>>>   first in the list.  Implementations are free to determine their default
>>>   preferences based upon relative cryptographic security, performance
>>>   or other criteria.  If only the two methods defined in Section 8 of
>>>   [TRANS] are are implemented, it is RECOMMENDED that
>>>   diffie-hellman-group14-sha1 be listed before
>>>   diffie-hellman-group1-sha1 in the kex list.
>>
>>I can accept this writing, but I would still prefer that it either be
>>deleted, or be generalized to something like "if an implementation
>>doesn't have any other reason to preferring one algorithm over the
>>other, it's recommended to sort the algorithms by cryptographic
>>strength, strongest first", which applies to all algorithm lists, not
>>just the key exchange method.
> 
> 
> also
> 
> On Tue, 22 Jun 2004, Jeffrey Hutzelman writes:
> 
> 
>>I guess that text looks OK to me. I've sort of become indifferent on
>>this; I won't object strongly if people don't want to add this sort of
>>text.
> 
> 
> 
> So, it doesn't look like everyone is ready for a group hug on this one.
> I'll make this alternate proposal for this section:
> 
>    As stated in Section 7.1 of [TRANS], each device will send a list of
>    preferred methods for key exchange.  The most-preferred method is the
>    first in the list.  Implementators are free to determine their default
>    preferences.  If an implementation doesn't have any other reason to
>    preferring one algorithm over the other, it is RECOMMENDED to sort the
>    algorithms by cryptographic strength, strongest first.  Some additional
>    guidance for this is given in BCP 86 [RFC 3766].
> ftp://ftp.rfc-editor.org/in-notes/rfc3766.txt

I think this is too wordy. It is axiomatic that implementors can
determine their own preferences.

Perhaps this:

> As stated in Section 7.1 of [TRANS], each device will send a list of 
> preferred methods for key exchange. The most-preferred method is the 
> first in the list. It is RECOMMENDED to sort
> the algorithms by cryptographic strength, strongest first. Some
> additional guidance for this is given in BCP 86 [RFC 3766].




Home | Main Index | Thread Index | Old Index