Re: [Ssh] Re: draft charter

[Niels Möller <nisse%lysator.liu.se@localhost>]

Stephen Farrell <stephen.farrell%cs.tcd.ie@localhost> writes:

> I got a request that the current draft charter text be sent to the
> list itself, which seems like a good idea, so that's below.

The charter looks good enough to me.

>     to update and maintain the list of cryptographic algorithms used by
> SSH. This includes documenting existing algorithms, deprecating unsafe
> algorithms, selecting new algorithms (such as post-quantum), and
> determining the set of recommended and mandatory-to-implement
> algorithms. Updating IANA SSH registries and changing their registration
> policies is in scope.

I think it would be beneficial with a single documented and recommended
way to plug in new AEAD-style algorithms in SSH, since those weren't a
thing when the original protocol was designed. In particular,

 * How to deal with the mac in algorithm negotiation, since that is
   useless if an aead-mode is selected for encryption, and in that case
   algorithm negotiation should allow an empty intersection (as well as
   empty inputs) for mac negotiation

 * How the packet lengths are encrypted, their own AEAD message
   (increasing packet size and departing somewhat from the old binary
   protocol), or something cheaper with weaker authentication?

 * Precisely how the Associated Data input is used.

For reference, I made an attempt at a spec like that a couple of years
back, see https://datatracker.ietf.org/doc/draft-nisse-secsh-aead/, but
I wasn't able to move it very far back then.

/Niels

-- 
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.