Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05

Eric Rescorla <ekr@rtfm.com> Sun, 08 April 2018 14:00 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9B5D129C6D for <curdle@ietfa.amsl.com>; Sun, 8 Apr 2018 07:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.593
X-Spam-Level:
X-Spam-Status: No, score=-0.593 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, TRACKER_ID=1.306] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzX351q8l2R8 for <curdle@ietfa.amsl.com>; Sun, 8 Apr 2018 07:00:31 -0700 (PDT)
Received: from mail-ot0-x22e.google.com (mail-ot0-x22e.google.com [IPv6:2607:f8b0:4003:c0f::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CD53127444 for <curdle@ietf.org>; Sun, 8 Apr 2018 07:00:31 -0700 (PDT)
Received: by mail-ot0-x22e.google.com with SMTP id m22-v6so2868710otf.8 for <curdle@ietf.org>; Sun, 08 Apr 2018 07:00:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wA1D8OSw7WNw3gzEhqVkC5g+f6VhqTRxi3f2tgC2fl0=; b=bkIOB1SgCABHDp2X3NqCLne/1snZC0ch6m0bl+lEOFKQx9xGrVl7/RbRedV7pwhOtZ +fyAGvosD2pTkMV+NeDJyKVBheLN9ySBPC0pGfgs0pGrUYA767qVWQixD3/bL10uQAGK DFt4aMssbEnV3pVr85fgz/zxJN75hzr8qJKg46Hqf2MzDQ4QTk5EyPGrN6L7oaRcxvWx NcfwyuATG1Ksvx4RVZElNwELCnefGaAvZDBUYLv9HTqlO6rSwk0H4vaCgsOolnuu7lCT RUDCfVV992Dfh8SIcQLJJSrSYvChWl/72WeqAZR16/foqApDxdcw+JlSoq2fNpPo2Ad3 fs0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wA1D8OSw7WNw3gzEhqVkC5g+f6VhqTRxi3f2tgC2fl0=; b=g+jA/an455SpWXSpxwm1J6l+t9M7DA0SGxVJB96GVTXl0vcgELXMpDPRL1yYzZh2LJ DMdI9aTyzzqSQriELd+6hxHxFoEi6ojIuULy8QO+xWQz/fpJJ3PoCUvnlxFd6UnvcSyK nRpYKIFjJ3ROddBEBt8PegerpTvM2u8055q4kpiK0DbX6OWu3LVEz07ZnBp6f4qLmYnV iLo7JKBN9N+B0Pv+4xPRTI3ubbrRXqhf1Q1ju6sGTGqNCWdGfrZTLDagvNRRasNhxqz+ i5AvM5wu9HVjKOosmwBJLVS6yEAr+W2uKcK7ezyXrRUpE1heEcj+aQJTISz5NUAXulJs quTg==
X-Gm-Message-State: ALQs6tCxpMuARi04S1oUrvHQkNJiccIRapjp9AJaDGy+JikYKIMcQ0nG xiisW/Cl9NV7Rb5oAy+MOafniBoRMPpTltm5mtbn5g==
X-Google-Smtp-Source: AIpwx49u75Yy0Y+ZxJsXtfeIsFXHAQPePDUz4q/xBHo3yN7LgoBvHARHGeNh5fHDxbXSy+kMS6jpehj4tttBOpvgTm4=
X-Received: by 2002:a9d:4289:: with SMTP id r9-v6mr7626072ote.44.1523196030394; Sun, 08 Apr 2018 07:00:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.138.18.130 with HTTP; Sun, 8 Apr 2018 06:59:49 -0700 (PDT)
In-Reply-To: <CADPMZDAvxqd0SGb2QomxuoBTjM=V96FR8qVTFnsWG5EjJvQ0JA@mail.gmail.com>
References: <CABcZeBNCUSpGihHz6bPBSALS4-34Tm7W36BCZ_Ev8OQz3KtVag@mail.gmail.com> <CADPMZDDjFghyj=1L+kq_XAXiea1W2LNEG9d13YY+OSyyd61niA@mail.gmail.com> <CABcZeBN=aHSTGusNWaCDcyv5BtnCjTU9jaTcohY4L-PHYk8e2Q@mail.gmail.com> <CADPMZDAe0HVz8NKCEPthV6AfZHJPuvk_S7-vMmVZQpyy_0F+vw@mail.gmail.com> <CABcZeBM-XKUjAWA7jX=ShnQaRdXmAChxNis_PCrqfMXd+yfRmg@mail.gmail.com> <186956AD-4D35-4CA4-9864-81B57080E0EA@akamai.com> <CABcZeBOnd7yBgYf4-bfK1vLoX5DdeKafG8GeX+95dn6YrXW7bg@mail.gmail.com> <CADPMZDAvxqd0SGb2QomxuoBTjM=V96FR8qVTFnsWG5EjJvQ0JA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 8 Apr 2018 06:59:49 -0700
Message-ID: <CABcZeBOeEqUY-sfxqccsbppysrRmTYbXYmY0f87ZtEaX_abxUw@mail.gmail.com>
To: denis bider <denisbider.ietf@gmail.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, curdle <curdle@ietf.org>, "draft-ietf-curdle-gss-keyex-sha2@tools.ietf.org" <draft-ietf-curdle-gss-keyex-sha2@tools.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000050bc83056956b623"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/3W7XesHfCLl-62uyrPMln6rrMT8>
Subject: Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Apr 2018 14:00:33 -0000

On Sat, Apr 7, 2018 at 7:19 PM, denis bider <denisbider.ietf@gmail.com>
wrote:

> I think this misunderstands the scope of the GSS draft.
>
> The GSS draft discusses GSS key exchange methods for SSH. These are not
> the main key exchange methods for SSH, they are a *version* of the main
> key exchange methods for use with GSS.
>
> Because these are a *version* of the main key exchange methods, the main
> value of this draft is that it updates the GSS key exchange methods to be
> in line with how the main key exchange methods for SSH have evolved.
>
> As Mark has pointed out, we have already added these key exchange methods
> to SSH in RFC 8268:
>
> diffie-hellman-group14-sha256
> diffie-hellman-group15-sha512
> diffie-hellman-group16-sha512
> diffie-hellman-group17-sha512
> diffie-hellman-group18-sha512
>
> The whole argument about which groups and which hashes we should have has
> already been staged, multiple times, and this is what we arrived at.
>
> The GSS draft is merely mirroring what we have already done for use with
> the GSS key exchange methods. It does not make sense for the GSS key
> exchange methods to do something entirely different than what the main key
> exchange methods do. It makes sense for the GSS key exchange methods to be
> consistent with what we have already done for the main ones.
>

OK. I regret not noticing this when I reviewed the SSH document, but as you
say, it's too late now.

-Ekr


> On Sat, Apr 7, 2018 at 6:38 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Sat, Apr 7, 2018 at 7:23 AM, Salz, Rich <rsalz@akamai.com> wrote:
>>
>>> I see no point in adding another hash.  What’s the reason?
>>>
>>
>> So that you can have an implementation that spans a variety of groups
>> with just SHA-256.
>>
>>>
>>>
>>
>>
>