IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
On Mon, 15 Feb 2016, denis bider wrote:
> Being widely implemented is not sufficient for MUST.
No, but it is necessary.
> curve25519-sha256 has
> the unfortunate distinction of being widely deployed right after widespread
> recognition of the need for safe curves, but just before the upping of NSA
> recommendations.
It's a bit weird to see recognition of safe curves accepted in the same
sentence that advice from the NSA is uncritically accepted. Much of the
justification from the so-called safe curves is because most people don't
trust the NSA to set crypto standards any more.
> I intend to implement curve25519-sha256 in Bitvise SSH Server and Client
> when not used under FIPS. However, it cannot be available in FIPS mode,
> because its crypto is not covered by FIPS 140-2.
FIPS has lagged and will always lag current good practice (in which
year did it deprecate single-DES?). IMO FIPS compatibility is not a
justification to deny inclusion of an algorithm in the MUST set (though
it might be a justification for including an algorithm).
> I agree that safe curves are most likely superior to the ecdh-nistp
> curves, and provide greater safety of implementation. However, it puts
> the spec in conflict with reality if we specify a MUST algorithm that
> can't be used by a significant proportion of users.
MUST specifies what implementations have to support, not what users
can/can't use. nistp384/521 is already there for the subset of users
who are shackled to NIST-specified algorithms, but there is a very
substantial user population who want an alternative and
curve25519-sha256 has already proved itself a fine fit.
-d
Home |
Main Index |
Thread Index |
Old Index