IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

suggestion for new ssh maintenance wg (was: Re: [Curdle] SSH crypto updates / Re: Call for Adoption)



(Dropping the curdle list for just this question.)

Hiya,

Denis identified a few topics (below) where he figures
there's scope for an ssh maintenance wg but where those
topics don't clearly fit in the curdle wg.

If there are other folks who'd like to see that work
get done in an ssh maintenance wg then please say so
on this list. And please say if you'd be willing to
write documents or to review documents or if you'd be
implementing.

If you've another relevant topic please also respond
with information (ideally a draft) about that.

If you think such an ssh maintenance wg is a bad plan,
please also do say that and why you think that.

>From my POV, I'd be happy to help such a wg be formed
if there seems to be sufficient qualified support and
folks likely to implement and victims^H^H^H^H^H^H^Hvolunteers
to chair it:-)

Cheers,
S.

PS: If a new ssh wg gets sufficient support, we can then
figure out whether or not some of the stuff that does
fit curdle could be better done in an ssh wg, but let's
leave that aside for now and allow ssh work in curdle
proceed without this process stuff slowing that down.

PPS: Note that this could be short-lived wg that never
needs to meet face-to-face, or maybe it'd not be like that,
but don't get fussed about having to go to IETF meetings
to get this work done - if it's maintenance then that may
well not be needed.

On 14/01/16 06:57, denis bider wrote:
[... probably curdle relevant stuff deleted...]

> This is an extension to SSH that's not directly crypto related, but
> comes hand in hand with the new RSA signature algorithms - it's
> infrastructure that allows for their efficient discovery without
> incurring authentication penalties:
> 
> Extension negotiation for SSH: 
> https://datatracker.ietf.org/doc/draft-ssh-ext-info
> 
> In addition to the above, I very much agree that aes-gcm%openssh.com@localhost
> needs standardization.
> 
> I would welcome either all of the above being adopted by the Curdle
> group; or else, a new WG being created specifically to perform
> maintenance on SSH.
> 
> Among other things, the erstwhile SSH working group never finalized
> the SFTP spec due to lack of consensus. We now have two SFTP specs,
> version 3 implemented by OpenSSH, and version 6 implemented by most
> everyone else.
> 
> It seems to me there's plenty of work that could be done by a new SSH
> working group, if it were founded. If Curdle doesn't want to adopt
> some of the above things, then these things would properly belong
> into a new SSH working group.
> 
> However, there isn't one, currently.
> 
> denis
> 
> 
> ----- Original Message ----- From: Watson Ladd Sent: Wednesday,
> January 13, 2016 10:40 To: Daniel Migault Cc: mdb%juniper.net@localhost ;
> Curdle Chairs ; Curdle ; ietf-ssh%NetBSD.org@localhost Subject: Re: [Curdle]
> Call for Adoption
> 
> On Wed, Jan 13, 2016 at 8:31 AM, Daniel Migault 
> <daniel.migault%ericsson.com@localhost> wrote:
>> Hi,
>> 
>> Thanks for the suggestion. I think it falls into the scope of the
>> WG.
>> 
>> The question I would have is whether it would make sense to extend
>> the document to the crypto suites others than DH - i.e. encryption
>> mac. This would result in a document providing cryptographic 
>> recommendations for SSH and have this document regularly updated
>> as crypto evolves. Any opinion ?
> 
> I'd prefer to prioritize the already deployed Curve25519 and Ed25519 
> work over crypto recommendations which other groups can develop. We 
> also should consider aes-gcm%openssh.com@localhost to be added as this
> addresses a corner case in the spec which makes AEAD complex.
> 
>> 
>> BR, Daniel
>> 
>> -----Original Message----- From: mdb%juniper.net@localhost
>> [mailto:mdb%juniper.net@localhost] Sent: Wednesday, January 13, 2016 10:40
>> AM To: Curdle Chairs Cc: Curdle; ietf-ssh%NetBSD.org@localhost Subject: Re:
>> [Curdle] Call for Adoption
>> 
>> Hi,
>> 
>> Over on the ietf-ssh%NetBSD.org@localhost list, Stephen Farrell suggested
>> that I see if I could add
>> 
>> https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2
>> 
>> under the curdle charter.
>> 
>> The draft deprecates a Secure Shell (SSH) key exchange algorithm
>> (Diffie-Hellman group1 - a 768-bit MODP group) and recommends
>> replacement with stronger Diffie-Hellman MODP groups (groups 14,
>> 15, 16).
>> 
>> The draft does have two interoperable implementations that have
>> implemented it.
>> 
>> Does it fit well enough into the curdle charter to be added here?
>> 
>> Thank you, -- Mark
>> 
>> ------- forwarded message ------- From: Stephen Farrell
>> <stephen.farrell%cs.tcd.ie@localhost> Date: Wed, 13 Jan 2016 10:34:05 +0000 
>> Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group
>> exchange)
>> 
>> Hiya,
>> 
>> On 13/01/16 09:21, Mark D. Baushke wrote:
>>> Hi,
>>> 
>>> URL:
>>> https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2
>>> 
>>> I believe that OpenSSH and Dropbear SSH have both implemented 
>>> interoperable versions using the current 01 version at this point
>>> in time.
>>> 
>>> I would be interested in hearing if any other implementations
>>> have adopted these new DH groups.
>>> 
>>> Are there any additional comments or changes needed for the
>>> draft before we can move to the next step in the process?
>>> 
>>> Hmmm... What is next? Getting 'AD is watching' or is it getting
>>> a document shepherd?
>> 
>> There's no active SSH WG, but there is the curdle WG. Its charter
>> [1] however is limited in terms of what it's allowed to add to
>> protocols. OTOH, this is not defining any new groups, just updating
>> codepoints, including deprecating one (to NOT RECOMMENDED). So the
>> draft could fit there on that basis I guess. So I'd say send a mail
>> to the curdle list and suggest this be adopted there.
>> 
>> If that doesn't work I can look at AD sponsoring it, but since one
>> of the reasons to setup curdle was to avoid too many of these being
>> AD sponsored, please try there first.
>> 
>> Cheers, S.
>> 
>> [1] https://tools.ietf.org/wg/curdle
>> 
>>> 
>>> Thank you, -- Mark
>> 
>> _______________________________________________ Curdle mailing
>> list Curdle%ietf.org@localhost https://www.ietf.org/mailman/listinfo/curdle
> 
> 
> 
> 
> 
> _______________________________________________ Curdle mailing list 
> Curdle%ietf.org@localhost https://www.ietf.org/mailman/listinfo/curdle
> 



Home | Main Index | Thread Index | Old Index