|
I support the described change intentions.
With regard to question (1) about MAY/SHOULD – I don’t have a strong
position. In my implementation experience, end users don’t care about these
types of recommendations, and the recommendations do not stand the test of time.
Our security conscious users knew they wanted to disable CBC before there was a
spec about it. Our users now want Curve25519 and Ed25519, and they don’t need a
“MUST” to tell them this.
The main reason I see to impose a SHOULD / SHOULD NOT is when the spec can
inform the implementer about something that’s not obvious. For example, if I’m
an implementer of desktop and server software, it may not be obvious that I
should offer a key exchange method that’s feasible for resource-constrained
devices. So, for interoperability reasons, it’s good to make group14-sha256 a
SHOULD, and also to state the reason for this recommendation: interoperability
with resource-constrained devices.
With regard to question (2) about SHA-2 versions – I would prefer only
SHA-512 for group 15 and higher. Group 14 should use SHA-256 because it’s for
interoperability with resource-constrained devices. Group 15 and higher need a
way to be used with a 384-bit hash or larger to meet those irrelevant government
recommendations no one likes to hear about. An implementation that can do
3072-bit DH can also do SHA-512, so I don’t see why not.
In summary, I think the proposal is fine.
denis
From: Mark D. Baushke
Sent: Monday, September 5, 2016 15:56
Cc: Daniel Migault ; Watson Ladd
; Paul
Hoffman ; Rich
Salz ; Phillip
Hallam-Baker ; IETF
Curdle ; IETF
SSH
Subject: Re: [Curdle] Group 15 needed in
draft-baushke-ssh-dh-group-sha2 Hi, The current draft-ietf-curdle-ssh-kex-sha2-03 draft expires in about a week, so I will be publishing a new draft before this Friday. Note: I will not be able to attend the IETF (November 13-18) in South Korea. Here is my current sugestions for the DH entries in the table: Key Exchange Method Name Reference Note diffie-hellman-group14-sha256 This Draft SHOULD diffie-hellman-group15-sha512 This Draft MAY diffie-hellman-group16-sha512 This Draft SHOULD diffie-hellman-group17-sha512 This Draft MAY diffie-hellman-group18-sha512 This Draft MAY I do not see any problems with letting these kex method names be defined and used by folks that want them. The remaining questions are: 1) which DH groups are best noted as SHOULD and which ones as MAY (Peter wants diffie-hellman-group14-*, denis wants diffie-hellman-group15-*, and the OpenSSH 7.3 release will negotiate diffie-hellman-group16-sha512 and diffie-hellman-group18-sha512), and 2) is the use of sha512 vs sha256 vs allowing either of the sha2 functions to be negotiated best to use for the new DH groups? As you can see, I am currently tending toward not having any of the new DH groups be labled as MUST. The -04 draft would therefore list curve25519-sha256 as the only MUST kex method. Are there any strong objections to this direction? Thanks, -- Mark |