Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

[Damien Miller <djm%mindrot.org@localhost>]

On Mon, 15 Feb 2016, denis bider wrote:

> Being widely implemented is not sufficient for MUST.

No, but it is necessary.

> curve25519-sha256 has
> the unfortunate distinction of being widely deployed right after widespread
> recognition of the need for safe curves, but just before the upping of NSA
> recommendations.

It's a bit weird to see recognition of safe curves accepted in the same
sentence that advice from the NSA is uncritically accepted. Much of the
justification from the so-called safe curves is because most people don't
trust the NSA to set crypto standards any more.

> I intend to implement curve25519-sha256 in Bitvise SSH Server and Client
> when not used under FIPS. However, it cannot be available in FIPS mode,
> because its crypto is not covered by FIPS 140-2.

FIPS has lagged and will always lag current good practice (in which
year did it deprecate single-DES?). IMO FIPS compatibility is not a
justification to deny inclusion of an algorithm in the MUST set (though
it might be a justification for including an algorithm).

> I agree that safe curves are most likely superior to the ecdh-nistp
> curves, and provide greater safety of implementation. However, it puts
> the spec in conflict with reality if we specify a MUST algorithm that
> can't be used by a significant proportion of users.

MUST specifies what implementations have to support, not what users
can/can't use. nistp384/521 is already there for the subset of users
who are shackled to NIST-specified algorithms, but there is a very
substantial user population who want an alternative and
curve25519-sha256 has already proved itself a fine fit.

-d