RE: New version of rsa-sha2-512 draft posted: no more DSA

To: denis bider <ietf-ssh3%denisbider.com@localhost>
Subject: RE: New version of rsa-sha2-512 draft posted: no more DSA
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Sat, 7 Nov 2015 00:51:08 +0000

denis bider <ietf-ssh3%denisbider.com@localhost> writes:

>From my perspective, SHA-2 512 seems like the clear winner in the RSA
>situation, due to 64-bit CPUs being destined for ubiquity (already ubiquitous
>on desktops, a few years away on mobile), 

... and decades away on embedded.  Most of my users are running SSH on
embedded platforms, for which the presence of 64-bit is close to zero, and no
plan to move to that.  I probably have more SSH running on 16-bit embedded
than 64-bit embedded.

>why not have a larger hash output at no additional cost (it's embedded in the
>signature, anyway).

Not if you're using P-256 rather than RSA.  Only SHA-256 will work with P-256
which (again from the Mozilla discussion) is the most widely-used parameter
set, with P-521 (needed for -512) being barely used:

  lots of products can (and, it seems, are planning to, or already are)
  omitting support for P-521.
    (Comment from https://mozillians.org/en-US/u/briansmith/)

(You can truncate -512 to make it work with P-256, but I wouldn't want to take
any bets on how well-supported that will be in practice).

>However, if there are platforms where availability is a problem, then okay,
>let's have both versions. I'll update the draft to re-add rsa-sha2-256, and
>make that recommended, and -512 optional.

Thanks!

Peter.

References:
- Re: New version of rsa-sha2-512 draft posted: no more DSA
  - From: denis bider

Prev by Date: RE: SSH key algorithm updates
Next by Date: Re: New version of rsa-sha2-512 draft posted: no more DSA
Previous by Thread: Re: New version of rsa-sha2-512 draft posted: no more DSA
Next by Thread: Re: New version of rsa-sha2-512 draft posted: no more DSA
Indexes:

Home | Main Index | Thread Index | Old Index