IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ssh-ed25519 implementations



On Wed, May 10, 2017 at 9:18 AM, Mark Baushke <mdb%juniper.net@localhost> wrote:
Hi,

Eric Rescorla <ekr%rtfm.com@localhost> has brought to my attention that in
https://tools.ietf.org/html/draft-ietf-curdle-ssh-curves-04 it is
currently specifying the SSH encoding of secrets on the wire using the
mpint process as described in section 5 of [RFC4251] while RFC 7748
describes using a little-endian format:

  GF(2^448 - 2^224 - 1) and are encoded as an array of bytes, u,
  in little-endian order such that u[0] + 256*u[1] + 256^2*u[2] + ... +

This seems to be what is being implemeneted for
curve25519-sha256%libssh.org@localhost, so I should make
an explicit note of this in the draft.

Thanks. To be clear, I'm not saying this is the wrong thing in the draft
(though I do think it's kind of an unfortunate outcome). I just think it's
critically important to be clear.
 

However, I am unaware of any curve448-sha512 implementations at
present and would like consensus that it should also follow the mpint
method rather than the RFC 7748 method.

I tend to think the 7748 method, but all the options are pretty terrible here

-Ekr
 

Please reply to curdle%ietf.org@localhost with your opinions.

        Thank you,
        -- Mark


Home | Main Index | Thread Index | Old Index