Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

To: Damien Miller <djm%mindrot.org@localhost>
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
From: denis bider <ietf-ssh3%denisbider.com@localhost>
Date: Tue, 16 Feb 2016 14:21:55 +0000

> same sentence that advice from the NSA is uncritically accepted

It's not uncritical acceptance. It's recognition that:

- The guidelines are not so unreasonable as to be dismissed out of hand.

- Reasonable or not, a large proportion of implementations are going to have to follow them.

As long as the guidelines are not unreasonable, implementations that don't have to follow them are going to want to be compatible with those that do.

If the purpose of having "MUST" algorithms is to minimize implementation complexity for widespread interoperability, we ought to "MUST" the most interoperable algorithms.

I'm really not in a position where this is a problem for me, though. I can implement all the algorithms. The type of person who would ultimately care is someone who has to implement both ecdh-nistp384, and curve25519-sha256, on a resource-constrained device, to be compatible with the requirements of different types of end users.

But perhaps this is simply an unavoidable feature of the cryptographic landscape, that we cannot really avoid at the moment. (And will not be able to, unless the US government starts to stand up for some kind of civilized principles, and somehow starts being trustworthy. :-/ )

----- Original Message -----
From: Damien Miller
Sent: Monday, February 15, 2016 03:10
To: denis bider
Cc: Mark D. Baushke ; Niels Möller ; Peter Gutmann ; Simon Josefsson ; ietf-ssh%netbsd.org@localhost
Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

On Mon, 15 Feb 2016, denis bider wrote:

> Being widely implemented is not sufficient for MUST.

No, but it is necessary.

> curve25519-sha256 has
> the unfortunate distinction of being widely deployed right after widespread
> recognition of the need for safe curves, but just before the upping of NSA
> recommendations.

It's a bit weird to see recognition of safe curves accepted in the same
sentence that advice from the NSA is uncritically accepted. Much of the
justification from the so-called safe curves is because most people don't
trust the NSA to set crypto standards any more.

> I intend to implement curve25519-sha256 in Bitvise SSH Server and Client
> when not used under FIPS. However, it cannot be available in FIPS mode,
> because its crypto is not covered by FIPS 140-2.

FIPS has lagged and will always lag current good practice (in which
year did it deprecate single-DES?). IMO FIPS compatibility is not a
justification to deny inclusion of an algorithm in the MUST set (though
it might be a justification for including an algorithm).

> I agree that safe curves are most likely superior to the ecdh-nistp
> curves, and provide greater safety of implementation. However, it puts
> the spec in conflict with reality if we specify a MUST algorithm that
> can't be used by a significant proportion of users.

MUST specifies what implementations have to support, not what users
can/can't use. nistp384/521 is already there for the subset of users
who are shackled to NIST-specified algorithms, but there is a very
substantial user population who want an alternative and
curve25519-sha256 has already proved itself a fine fit.

-d

Prev by Date: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Date: aes-gcm@openssh next step
Previous by Thread: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Next by Thread: Re: [Curdle] Call for Adoption
Indexes:

Home | Main Index | Thread Index | Old Index