IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [psg.com #460] IESG - Transport - Oakley - new proposal (fwd)
Bill Sommerfeld <sommerfeld%east.sun.com@localhost> writes:
> names such as "rfc3526-modp2048" seem more appropriate and unambiguous
> for the family of groups defined in that document.
In this case, we're considering two different naming schemes:
A:
diffie-hellman-group1-sha1 "well known group 2", see RFC 2412
diffie-hellman-group2-sha1 "2048-bit modp group", see RFC 3526
B:
diffie-hellman-group1-sha1 "well known group 2", see RFC 2412
diffie-hellman-group14-sha1 "2048-bit modp group"/"IKE group 14", see RFC 3526
The first consistently uses an independent ssh-specific name space.
The second attempts to borrow a subspace of that namespace from a
namespace defined elsewhere, and by doing so, it also *attempt* to
define the meaning of
diffie-hellman-groupx-sha1
for arbitrary x. That's the main selling point of B, right?
I believe this selling point simply fails. To define e.g.
diffie-hellman-group3-sha1, an RFC must be published that defines its
meaning unambigously. That requirement is from
draft-ietf-secsh-assignednumbers-06.txt, section 4.3, and I think it's
an appropriate requirement.
To me, it seems cleaner and less confusing to stick to the original
intentions of Tero and others and use a small ssh-specific name space,
and naming scheme A above. Then diffie-hellman-group1-sha1 means "well
known group 2" from one RFC. diffie-hellman-group2-sha1 means a
2028-bit group from a different RFC. diffie-hellman-group3-sha1 will
mean whatever we choose it to mean at the time we decide we need yet
another fixed group.
(Also note that it is consistent with the numbers document to have
some later RFC define diffie-hellman-ike2-groupx-sha1 for some set of
x, if we ever want that. That's however something that we *don't* need
to address at the moment).
I'm sorry we're digging up this old issue again. I want to state that
I don't feel very strongly about this naming stuff, but I'd prefer
that we get it right and clean. And from the earlier discussions, I
think the rest of you have a similar attitude to it.
So, what's the right thing to do now?
Regards,
/Niels
--
There are two difficult unsolved problems in computer science:
1. Cache invalidation
2. Naming of things -- Phil Karton
Home |
Main Index |
Thread Index |
Old Index