Damien Miller wrote:
On Tue, 14 Apr 2009, Douglas Stebila wrote:A new version of the draft for elliptic curve cryptography in SSH has been posted. http://www.ietf.org/internet-drafts/draft-green-secsh-ecc-06.txt The main substantive revision is that ecdsa-sha2 is now using a family of identifiers (as ecdh-sha2-* does) to specify the curve at the algorithm negotiation stage.I have to say that I really dislike the Base64(MD5(DER(OID))) encoding of curve names into the kex method names. Why not just use the SEC names? Actually, why bake the names into the kex names at all? (as opposed to sending a curve spec as a parameter).
I second this opinion warmly. Method names, whether kex, cipher, mac, or compression should (and in my opinion must) be not only readable but also human readable.
If a large number of curves is needed and OID really must be used, then it should be encoded to ascii in some human readable way e.g. "ec-1.2.3.4.5". Still, SEC names would be much more sensible.
Anyways, if you assign an OID for each new curve, you can as well assign an unique symbolic name that also somewhat lists the characteristichs of the curve.
The "Security Considerations" section talks about the possible need to replace SHA2 with other algorithms, but the name "sha2" is baked into the kex method name. Should the hash algorithm be a parameter too?
Maybe it should but MAC in kex has somewhat specific meaning and maybe it should be tied to specific kex name. I don't have a strong opinion here.
-- Timo J. Rinne <tri%ssh.com@localhost> Valimotie 17 +358 20 500 7000 T Chief Technology Officer FIN-00380 Helsinki +358 20 500 7397 F SSH Communications Security Corp. Finland http://www.ssh.com