Re: Nits in current drafts

[Ben Harris <bjh21%bjh21.me.uk@localhost>]

In article <E1D33CS-00087a-00%medusa01.cs.auckland.ac.nz@localhost> you write:
>The easiest way to resolve this I think is to require that signatures *only*
>be in "ssh-xyz format", regardless of the certificate format used (i.e. don't
>tie the signature format to the key format).

I think this is a bad idea for the following reasons:

It forces all RSA and DSA signatures to use a SHA-1 hash, which limits them
to 80 (or maybe 69) bits of security, which is likely to be insufficient
fairly soon, and is very likely to be less than the security offered by the
MAC and cipher in use.

It forces all RSA signatures to use RSASSA-PKCS1-v1_5/SHA-1, when the same
keys might be used with other signature schemes and hashes.  This goes
against the recommendation in section 6 of RFC 3447:

   A generally good cryptographic practice is to employ a given RSA key
   pair in only one scheme.  This avoids the risk that vulnerability in
   one scheme may compromise the security of the other, and may be
   essential to maintain provable security.  While RSAES-PKCS1-v1_5
   (Section 7.2) and RSASSA-PKCS1-v1_5 (Section 8.2) have traditionally
   been employed together without any known bad interactions (indeed,
   this is the model introduced by PKCS #1 v1.5), such a combined use of
   an RSA key pair is not recommended for new applications.

It makes the use of libraries (or perhaps hardware) that encapsulate
complete signature schemes unnecessarily difficult, and perhaps impossible
in the case of secure hardware that's only willing to use a particular
signature scheme.

-- 
Ben Harris