Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

["Mark D. Baushke" <mdb%juniper.net@localhost>]

Damien Miller <djm%mindrot.org@localhost> writes:

> On Sat, 13 Feb 2016, Mark D. Baushke wrote:
> 
> > https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2/
>
> IMO curve25519-sha256 should be a MUST, if not immediately then soon.
> It's already supported under the curve25519-sha256%libssh.org@localhost alias by
> a few implementations.

Good point. I have moved curve25519-sha256 to MUST.

> This paragraph:
> 
> >  The group15, group16, group17, and group18 names are the same as
> >  those specified in [RFC3526] as 3072-bit MODP Group 14, 4096-bit MODP
> >  Group 15, 6144-bit MODP Group 17, and 8192-bit MODP Group 18.
> 
> is incorrect: group 14 is 2048 bits, not 3072. Group 15 is 3072 bits,
> not 4096. Group 16's length is not described (4096 bits). 17 and 18 are
> correct.

Thank you for reporting this. I have updated the text in my copy and
removed group15 and group17 from the list.

I have submitted the new edition to 
https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2/
it should propagate shortly.

> I think the table of "Group modulus security strength estimates" should
> have a reference - are these from NIST SP800-57?

Actually, I do mention that I got the information from RFC3526,
but I will make that more explicit and also point to RFC3766
for making the security strength calculation in person.

	Thank you,
	-- Mark