RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

To: "Mark D. Baushke" <mdb%juniper.net@localhost>
Subject: RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Fri, 12 Feb 2016 13:42:22 +0000

mdb%juniper.net@localhost <mdb%juniper.net@localhost> writes:

>RFC2119 says that "SHOULD NOT" and "NOT RECOMMENDED" have the same meaning.

This assumes that whoever's reading that knows that 2119 exists, and bothers
reading it.  If you're dealing with an industry standards group doing working
on, say, PLCs for infrastructure control whose primary goal is to find reasons
to avoid changing what they've got now (not that I have any experience with
those or anything...) then they're going to look at "NOT RECOMMENDED" and
decide that it's OK to keep using SHA-1 for the next ten years (literally,
that's the time frames they think in).

>To make it stronger would mean moving to "MUST NOT" instead.

No, just use the SHOULD NOT wording option rather than NOT RECOMMENDED.  Same
for the others, SHOULD rather than RECOMMENDED.

>The terms are supposed to be understood in the context of RFC2119.

See above.  People working on things like SCADA neither know about RFC 2119,
nor care about it if it's pointed out to them.  They'll look at the spec at
hand, take the simplest option in there, and go with that.  "SHA-1 isn't
necessarily recommended but we have legacy considerations so we'll keep using
it forever.  We can consider the other recommendations in the next
standardisation round in 2025 if required".

>I have no strong preference for which of the equivalent terms are used if it
>helps make the point better. Does it really make the point better?

Yes, definitely.  SHOULD NOT is pretty explicit while NOT RECOMMENDED is,
well, something you see in restaurant reviews.

>The concern for SHA-1 is specified in the Overview nd Rationale as well as in
>the Security Considerations section. 

The Overview portion, which is the one that'll get read, mentions "security
concerns with SHA-1", which really doesn't tell you much, almost everything
has security concerns to some degree.  So I'd be good to have the note with
the text I proposed saying something like "the SHA-1 option is provided for
backwards compatibility, shouldn't be used in new designs, and should be
phased out of existing ones as quickly as possible because it's not secure"
somewhere close to the SHOULD NOT -sha1.

Peter.

References:
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Peter Gutmann
- Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
  - From: Mark D. Baushke

Prev by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Date: RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Previous by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Indexes:

Home | Main Index | Thread Index | Old Index