Re: New version of rsa-sha2-512 draft posted: no more DSA

To: pgut001%cs.auckland.ac.nz@localhost
Subject: Re: New version of rsa-sha2-512 draft posted: no more DSA
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Fri, 6 Nov 2015 17:48:26 +0000

From my perspective, SHA-2 512 seems like the clear winner in the RSA situation, due to 64-bit CPUs being destined for ubiquity (already ubiquitous on desktops, a few years away on mobile), and because - why not have a larger hash output at no additional cost (it's embedded in the signature, anyway).

However, if there are platforms where availability is a problem, then okay, let's have both versions. I'll update the draft to re-add rsa-sha2-256, and make that recommended, and -512 optional.

I'm also thinking of removing the currently proposed SSH_MSG_IGNORE mechanism, and replacing it with a new and separate draft that would propose proper SSH extension negotiation. The mechanism I have in mind would be largely costless compared to the current situation, and would optimize away the unnecessary SERVICE_REQUEST round-trip.

Thanks for the feedback!

----- Original Message -----
denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>I have taken into account Damien's suggestion for rsa-sha2-512, and observed
>that there appears to be no reason to have rsa-sha2-256, if we have rsa-
>sha2-512. As far as I can tell, SHA-2 512 should be reasonably available
>everywhere that SHA-2 256 is available.

Uhh, that's more or less the opposite of the actual situation: SHA2-256 is
fast becoming the universal replacement for SHA-1, while SHA2-512 is the "oh,
there's another one alongside -256?" alternative. For example Mozilla just
posted the following discussion item:

In item #8 of the Maintenance Policy recommend that CAs avoid SHA-512 and
P-521, especially in their CA certificates. This is to ensure
interoperability, as SHA-512 and (especially) P-521 are less well-supported
than the other algorithms.

So it should be MUST -256, MAY -512, at most.

(I can't see any good reason to have -512, it has little support, it's a pain
to do on 32-bit CPUs, it's slow, and it offers little to no practical security
advantage over -256).

Peter.

Follow-Ups:
- RE: New version of rsa-sha2-512 draft posted: no more DSA
  - From: Peter Gutmann

Prev by Date: The (de)merits ot making checks you don't have to make
Next by Date: Re: SSH key algorithm updates
Previous by Thread: RE: New version of rsa-sha2-512 draft posted: no more DSA
Next by Thread: RE: New version of rsa-sha2-512 draft posted: no more DSA
Indexes:

Home | Main Index | Thread Index | Old Index