RE: rsa-sha2-256/512: handling of incorrect signature encoding

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

denis bider (Bitvise) <ietf-ssh3%denisbider.com@localhost> writes:

>What type of “advertising SHA-2” do you mean? If the server advertises rsa-
>sha2-256 or -512 for server authentication, then it also needs to have an RSA
>host key. But the server might not have an RSA host key, it might only have
>an ECDSA or Curve25519 host key. 

I was thinking of it in an opportunistic-upgrade sense, for example for PGP
and S/MIME the mandatory algorithm is SHA-1 but if you receive a message
signed with SHA-2 you can switch to that because the client will be able to
process it.  So if you see ecdsa-sha2... or rsa-sha2... in the keyex then you
know the other side can do SHA2, and should do the auth with SHA2 as well.

>In this situation, the server cannot advertise an rsa-sha2-XXX algorithm for
>host authentication. 

It's not so much can it do RSA-SHA2, but can it do SHA2 in general rather than
SHA1.

Peter.