Re: [Curdle] Second AD Review: draft-ietf-curdle-ssh-curves.
Ron Frederick <ronf@timeheart.net> Sun, 04 August 2019 16:51 UTC
Return-Path: <ronf@timeheart.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F4B712003F for <curdle@ietfa.amsl.com>; Sun, 4 Aug 2019 09:51:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=timeheart.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OfrND253A3Nc for <curdle@ietfa.amsl.com>; Sun, 4 Aug 2019 09:51:53 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FCC120033 for <curdle@ietf.org>; Sun, 4 Aug 2019 09:51:53 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id 4so28501424pld.10 for <curdle@ietf.org>; Sun, 04 Aug 2019 09:51:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timeheart.net; s=mail; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=AzXjdpnnMnTzG6a6/+az5eCiVmjwsaUhJRF1roreKW8=; b=aSBTj/vwjTLH/V59hk3nvkpKgVzCNlilFUrjbZBpWrXGwP4HqXtlg/gr1lSUXP4Fq4 f9iOZfwNDtwv1QHDMkZ9jSaZiJqzrs0lEg2lSjcZAtx52Yte154fy9/nO/gMWBEn8qLZ ArIjQ5PX8Cv9QAUnrDI8KpgKgsAb4UFzll1t8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=AzXjdpnnMnTzG6a6/+az5eCiVmjwsaUhJRF1roreKW8=; b=LNvIku7k46702eBKTOtj4Imk+e2DPTgjrdNQY91YwbXtMpPfCcNuFkteuOS9zUtpQO f75YYa7Yl0r5WkDRo8UkTNF+7MiEDhGCDLZsNjxXJ6eIVSAgm62UWBKMW7NXVHQDIzNw uC2v3+/8VA8GAsxQ9izHqMxykiFOEyfoGb+YHYA6DQfK0JLaPOgdHuMHiKL3KWEmrwF9 T5jd4A2wbeK3EDBkdqiVpMSTusf3KW1CJ1rMugKKQoL+ey+RRFEEVs4liIa43gRHDEXJ DW9CsTFwu89aLUnzfcW4AXGJ4exWRzxNs6o/76CkMB/vW2+Esu+ckq1LKYLwbStozPKP yndw==
X-Gm-Message-State: APjAAAV49V6oHACafhiAY4nIid4fLRH0waUI8cGLpAhXKn9we2t88IqT 8fQo4Xy/7DRpLOcG/jBNgEMRcQYL3SY=
X-Google-Smtp-Source: APXvYqwK7HNPCXDzTomjrBclfwXSqwEHkf8TP7/XUdfPWFd2+3FWRfnmTOoq8oekP8jGBKmLCQasWg==
X-Received: by 2002:a17:902:9a42:: with SMTP id x2mr142129324plv.106.1564937512696; Sun, 04 Aug 2019 09:51:52 -0700 (PDT)
Received: from connect.timeheart.net.0.4.a.f.8.1.4.2.0.3.3.0.6.2.ip6.arpa ([2603:3024:18fa:4000::2]) by smtp.gmail.com with ESMTPSA id y128sm101439202pgy.41.2019.08.04.09.51.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 04 Aug 2019 09:51:52 -0700 (PDT)
From: Ron Frederick <ronf@timeheart.net>
Message-Id: <7859169F-D86B-4027-B060-6BAA6FD6CA6A@timeheart.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2B89F6A1-D496-47A0-8F3B-C1E7769F80A2"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sun, 04 Aug 2019 09:51:51 -0700
In-Reply-To: <0D4BB5A9-5E34-4038-BD5B-1EE63A67447D@juniper.net>
Cc: curdle <curdle@ietf.org>
To: Mark Baushke <mdb=40juniper.net@dmarc.ietf.org>
References: <CABcZeBM1xaLR2RqYo8_VmO1ue2qr3rn_52MhSDHagKhNF-AYQA@mail.gmail.com> <20190730214702.GS47715@kduck.mit.edu> <31257.1564525402@contrail-ubm16-mdb.svec1.juniper.net> <20190730231321.GU47715@kduck.mit.edu> <CADZyTk=9-pJ8mkwKSDMcZtN2DfD=C2OBDSm6v2pcvp-J2hekqg@mail.gmail.com> <0D4BB5A9-5E34-4038-BD5B-1EE63A67447D@juniper.net>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/FJV-MoBdjEUi7rWWqvNP-jNDu40>
Subject: Re: [Curdle] Second AD Review: draft-ietf-curdle-ssh-curves.
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Aug 2019 16:51:56 -0000
Hi Mark, On Aug 3, 2019, at 2:52 PM, Mark Baushke <mdb=40juniper.net@dmarc.ietf.org> wrote: > I have updated and uploaded the draft. Please let me know of any issues. Here are a few thoughts on version 9 of the draft: In section 3, you say “Key-agreement schemes Curve25519 and Curve448”, but these algorithms are not key-agreement schemes by themselves. I’d recommend going with the proposed SSH names here if you are discussing the full key agreement scheme and not the underlying elliptic curve algorithms. In other words, I’d suggest “Key-agreement schemes curve25519-sha256 and curve448-sha512” (possibly with quotes around each), as done earlier in this section. When detecting the all-zeroes value, the new text says it should “abort if so, as described in Section 6” of RFC 7748. However, the original RFC doesn’t actually define what “abort” means. It says “abort if so (see below)”, but I don’t know what that is referring to. The only mention of “abort” is in sections 6.1 and 6.2, and nothing in section 7 seems to really expand on what should be done if the all-zeroes check matches. This is more a fault of RFC 7748 than it is of this doc, but since you are now recommending to “abort” in this doc, it would be good to be more specific about what that means for an SSH client/server. I’m also not sure the sentence about “Alternative implementations” of these functions. There isn’t a lot of clarity on how one would determine in an alternate implementation when “either input forces the shared secret to one of a small set of values”. Since this point is covered already in RFC 7748 and this doc says “No further validation is required beyond what is discusses in RFC 7748”, though, I think it might be better to just leave this out. -- Ron Frederick ronf@timeheart.net
- [Curdle] Second AD Review: draft-ietf-curdle-ssh-… Eric Rescorla
- Re: [Curdle] Second AD Review: draft-ietf-curdle-… Benjamin Kaduk
- Re: [Curdle] Second AD Review: draft-ietf-curdle-… Mark D. Baushke
- Re: [Curdle] Second AD Review: draft-ietf-curdle-… Benjamin Kaduk
- Re: [Curdle] Second AD Review: draft-ietf-curdle-… Daniel Migault
- Re: [Curdle] Second AD Review: draft-ietf-curdle-… Mark Baushke
- Re: [Curdle] Second AD Review: draft-ietf-curdle-… Ron Frederick
- Re: [Curdle] Second AD Review: draft-ietf-curdle-… Benjamin Kaduk
- Re: [Curdle] Second AD Review: draft-ietf-curdle-… Mark D. Baushke
- Re: [Curdle] Second AD Review: draft-ietf-curdle-… Benjamin Kaduk