On Tue, 22 Feb 2005, Niels Möller wrote:
As long as we're signing an exchange hash computed with sha-1, replacing the hashing that is part of the signature processing by something stronger than sha-1 won't increase security, will it?
True, but there will eventually be KEX methods that use better hashes than SHA-1.
It forces all RSA signatures to use RSASSA-PKCS1-v1_5/SHA-1, when the same keys might be used with other signature schemes and hashes.Strictly speaking, it's possible to use the ssh-rsa *format* with other encapsulation schemes and hashes.
OK. That wasn't clear from Peter's proposal, and nor is it clear from the current draft. While I think it's silly to use "ssh-rsa" to mean "some unspecified kind of RSA signature", I don't think it's actually dangerous.
(And for the current drafts, we just need to delete underspecified certificate formats).
If they're really underspecified (to the extent that two people can't write interoperable implementations based solely on the spec) then yes, they should be deleted and specified properly in a separate draft.
-- Ben Harris