IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: New version of rsa-sha2-512 draft posted: no more DSA



From my perspective, SHA-2 512 seems like the clear winner in the RSA situation, due to 64-bit CPUs being destined for ubiquity (already ubiquitous on desktops, a few years away on mobile), and because - why not have a larger hash output at no additional cost (it's embedded in the signature, anyway).

However, if there are platforms where availability is a problem, then okay, let's have both versions. I'll update the draft to re-add rsa-sha2-256, and make that recommended, and -512 optional.

I'm also thinking of removing the currently proposed SSH_MSG_IGNORE mechanism, and replacing it with a new and separate draft that would propose proper SSH extension negotiation. The mechanism I have in mind would be largely costless compared to the current situation, and would optimize away the unnecessary SERVICE_REQUEST round-trip.

Thanks for the feedback!


----- Original Message -----
denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>I have taken into account Damien's suggestion for rsa-sha2-512, and observed
>that there appears to be no reason to have rsa-sha2-256, if we have rsa-
>sha2-512. As far as I can tell, SHA-2 512 should be reasonably available
>everywhere that SHA-2 256 is available.

Uhh, that's more or less the opposite of the actual situation: SHA2-256 is
fast becoming the universal replacement for SHA-1, while SHA2-512 is the "oh,
there's another one alongside -256?" alternative.  For example Mozilla just
posted the following discussion item:

  In item #8 of the Maintenance Policy recommend that CAs avoid SHA-512 and
  P-521, especially in their CA certificates. This is to ensure
  interoperability, as SHA-512 and (especially) P-521 are less well-supported
  than the other algorithms.

So it should be MUST -256, MAY -512, at most.

(I can't see any good reason to have -512, it has little support, it's a pain
to do on 32-bit CPUs, it's slow, and it offers little to no practical security
advantage over -256).

Peter.



Home | Main Index | Thread Index | Old Index