- section 1, ECMQV has been dropped from the National Security Agency's Suite B. I don't know when but it's not there now: http://www.nsa.gov/ia/industry/crypto_suite_b.cfm I'm wondering if an inclusion of that in this draft may not cast some shadow on it in general as including something that might have potential legal issues if used.
While it's no longer part of NIST Suite B, it is a useful protocol that I am to understand a number of organizations wish to use. I have added language clarifying that the ECMQV portion is optional.
- section 5. I don't know very much about ECC so I have a question.I understand that we can use implicit server authentication since server's private key is already involved in the generation of the shared secret. So,HMAC instead of the ECDSA is then used just because it's faster?
That's right.
- is it needed to include shared secret in the hash input when wealready use it in HMAC on the resulting hash? I'd say to break it is equallydifficult whether the secret is there or not.
I suppose it's not strictly necessary in the context of HMAC. If the value H in that section is ever used for another purpose in the context of the SSH protocol, then it would be necessary to have it in there for authentication purposes. It doesn't hurt to keep it in, so that is my preference.
- section 9.2, I like that you put the command sequence thatgenerates Base64(MD5(DER(OID))). However, claiming that you can run it on many unix-like systems seems quite strong to me. "oid" is not found on any system I tried, be it FreeBSD 6.1, Gentoo 1.12.11.1, or OpenSolaris. What's more, "xxd" is part of ViM. Not sure if those details should be part of the RFC but at least "oid" is quite generic name, I can't find what "oid -i" issupposed to do exactly; I just guess "-i" means an input file, not a specific type of output.
I've clarified the language to be clear that these are not standard Unix commands but could be installed from the URLs given.
Thanks, Douglas