RE: New version of rsa-sha2-512 draft posted: no more DSA

[Damien Miller <djm%mindrot.org@localhost>]

On Fri, 6 Nov 2015, Peter Gutmann wrote:

> denis bider <ietf-ssh3%denisbider.com@localhost> writes:
> 
> >I have taken into account Damien's suggestion for rsa-sha2-512, and observed
> >that there appears to be no reason to have rsa-sha2-256, if we have rsa-
> >sha2-512. As far as I can tell, SHA-2 512 should be reasonably available
> >everywhere that SHA-2 256 is available.
> 
> Uhh, that's more or less the opposite of the actual situation: SHA2-256 is
> fast becoming the universal replacement for SHA-1, while SHA2-512 is the "oh,
> there's another one alongside -256?" alternative.  For example Mozilla just
> posted the following discussion item:
> 
>   In item #8 of the Maintenance Policy recommend that CAs avoid SHA-512 and
>   P-521, especially in their CA certificates. This is to ensure
>   interoperability, as SHA-512 and (especially) P-521 are less well-supported
>   than the other algorithms.

I don't think the glacial* crypto adoption pace of CAs is relevant to 
the choices we make for SSH. Moreover, any SSH implementation that
supports ed25519 in the future will need SHA512 for it's inner hash,
so it's not like it will be extra code to carry around.

-d

* actually unfair to glaciers