RE: deaft-gree-sedsh-ecc-08: small correction

["Igoe, Kevin M." <kmigoe%nsa.gov@localhost>]

Opps, mea culpa.  I see are referring to draft-green-secsh-ecc-08, now
known as RFC 5656.  My responses were in reference to
draft-igoe-secsh-x509v3-05.

Given it has already been published as an RFC, the inclusion of MQV is
Suite B is an historical artifact that reflects the early genesis of
Suite B, and as such can stand.

The point at infinity is a worthy observation perhaps best 
addressed by an errata? I'm not terribly familiar with the IESG errata
process.

> -----Original Message-----
> From: ietf-ssh-owner%NetBSD.org@localhost [mailto:ietf-ssh-owner%NetBSD.org@localhost] On
> Behalf Of Igoe, Kevin M.
> Sent: Friday, August 13, 2010 9:06 AM
> To: Damien Miller; Douglas Stebila
> Cc: ietf-ssh%NetBSD.org@localhost
> Subject: RE: deaft-gree-sedsh-ecc-08: small correction
> 
> You are correct, MQV was thrown out of Suite B some time ago
> and we should rephrase this statement to reflect that.  I
> view leaving MQV in this draft as harmless.  Yes, currently
> there are Intellectual Property issues involving MQV, but that
> may well change in the future.
> 
> As to checking for the point at infinity in ECDH, I'd
> rather have that issue addressed in a document that is
> clearly directed at ECDH rather than having it hidden
> in a document that only peripherally touches ECDH.
> I'll be putting out a "Suite B for Secure Shell" document
> in the near future and plan to cover such issues in there.
> 
> 
> > -----Original Message-----
> > From: ietf-ssh-owner%NetBSD.org@localhost [mailto:ietf-ssh-owner%NetBSD.org@localhost]
On
> > Behalf Of Damien Miller
> > Sent: Friday, August 13, 2010 1:30 AM
> > To: Igoe, Kevin M.; Douglas Stebila
> > Cc: ietf-ssh%NetBSD.org@localhost
> > Subject: Re: deaft-gree-sedsh-ecc-08: small correction
> >
> > On Tue, 16 Jun 2009, Igoe, Kevin M. wrote:
> >
> > > In the Introduction to draft-green-secsh-ecc-08 we find
> > >
> > >    In the interest of adding Suite B algorithms to SSH this
> document
> > >    adds three ECC Suite B algorithms to the Secure Shell arsenal:
> > >    Elliptic Curve Menezes-Qu-Vanstone (ECMQV), Elliptic Curve
> Diffie-
> > >    Hellman (ECDH), and Elliptic Curve Digital Signature Algorithm
> > >    (ECDSA), as well as utilizing the SHA2 family of secure hash
> > >    algorithms.
> > > Slight error here: ECMQV is no longer part of Suite B.  For sake
of
> > > correctness, I'd suggest something like the following:
> > >
> > >    In the interest of adding Suite B algorithms to SSH this
> document
> > >    adds two ECC Suite B algorithms to the Secure Shell arsenal:
> > >    Elliptic Curve Diffie-Hellman (ECDH), and Elliptic Curve
Digital
> > >    Signature Algorithm (ECDSA), as well as utilizing the SHA2
> family
> > >    of secure hash algorithms. Additonally, support is provided for
> > >       Elliptic Curve Menezes-Qu-Vanstone (ECMQV).
> >
> > Why not drop ECMQV from the draft entirely? AFAIK it is patented,
> > which is enough to stop us (OpenSSH) from implementing it. I think
> > new KEX methods need a very good justification, since they represent
> > a significant part of the pre-auth attack surface.
> >
> > Also on the -08 draft, shouldn't the client and server in ECDH
reject
> > public keys from the peer that are points at infinity? Are there
> > other degenerate values to worry about?
> >
> > -d