Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

>> Because the host key is used to sign the kex hash, and it's an
>> ssh-rsa key, so its signatures are defined to use SHA-1.
> Not necessarily.

True.  To be more precise, the negotiated host-key algorithm was
ssh-rsa, which is defined to use SHA-1.

> [...].  In other words "ssh-rsa" is just generic RSA, and then the
> more specific rsa-sha2-256 is explicitly RSA with SHA-2 if you want
> that.

ssh-rsa as part of a public-key data blob is generic RSA.  ssh-rsa as a
negotiated host-key algorithm is not; it is what if the three were
designed today would probably be rsa-sha1-160 or some such (if it were
used at all).

>> I should go looking for specs to implement rsa-sha2-256 and
>> rsa-sha2-512; I was not previously aware they existed....)
> [...] RFC 8332 [...]

Thank you - already found it (by searching my RFC collection for
rsa-sha2-512).  I also found I had saved a copy of
draft-ietf-curdle-rsa-sha2-01.txt, indicating I _was_ aware of them at
some point (but, obviously, had managed to forget).

I've now implemented them and find that they break one of my other
assumptions; I need to rethink some aspects of host-key storage.  But I
also have some other assumptions to straighten out.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B