Re: DH group exchange (Re: SSH key algorithm updates)

[nisse%lysator.liu.se@localhost (Niels Möller)]

"Mark D. Baushke" <mdb%juniper.net@localhost> writes:

>> I still think it is inappropriate to use group-exchange for groups
>> that are going to be widely used. 
>
> I suppose we disagree on this subject.

Maybe not a very wide disagreement. I have no strong objection to
including *reviewed* fixed groups in the list of group-exchange
alternatives (even if I think using names to enable negotiation is
desirable, adn that it's unfortunate that the client isn't informed
whether a particular group is fixed or ephemeral). I do object to using
fixed groups which have not been properly reviewed, e.g., generated at
compile time for a widely used server binary.

> It may also be desirable to setup a way that RFC 3526 groups:
>
>   diffie-hellman-group14-sha256 (2048-bit MODP group - 112 bits of security)
>   diffie-hellman-group15-sha256 (3072-bit MODP group - 128 bits of security)
>
>   diffie-hellman-group16-sha384 (4096-bit MODP group - ~150 bits of security)

I think that is highly desirable. Implementation burden should be quite
small. One of these could be RECOMMENDED or even REQUIRED.

Regards,
/Niels
-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.