Re: [Curdle] WG status and rsa-sha2 as public key algorithm

Daniel Migault <> Sat, 20 May 2017 01:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D04BE12894A for <>; Fri, 19 May 2017 18:50:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RztwNsThJri7 for <>; Fri, 19 May 2017 18:50:40 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 912051204DA for <>; Fri, 19 May 2017 18:50:39 -0700 (PDT)
Received: by with SMTP id m18so8813979lfj.0 for <>; Fri, 19 May 2017 18:50:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=43qIF/kaDBzD6AGlMwUXJRoOKtR7c/4OV8It4rABtn8=; b=UTu3FaAOtSMMtE24evF6b3FUHnDIY6I39xDyavpuIkjjoiFDBYnfNzM/eDPVHwLI0B ibWXuRMeKDfEcHjIEi2MP/elpfNOtLDSZmMU8XtrmnRmcCrljwIerj70eDzknKa06tsk pTh4/CWTs8289jUdZFb4s7ZX4musEIWzEyfeKLnWNrDVLrLqumPaLO1oM29AqJhcCu7P pJbiC1lY1d7cbe6bmJTbK6jGm+E3vFXsXu9zPBlZZrz0x28DOXpyC/wkuHHFNTBzLQkJ HKa85x+oOpyaWciLEtMDAo8KW+r2xTt78C2V/iGs2G4rzqL+mJtY8K9yunLCLJUDiSl8 QqQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=43qIF/kaDBzD6AGlMwUXJRoOKtR7c/4OV8It4rABtn8=; b=mC8qXgaDZRC6oDy5EUY2SfAPD/xCpNXjsbgJza0XUJNBR2hZzNHQeoxn0xD6/1wAKf uVj5gYmf1q59uU0I5TEjhGmaU5fSkTcVOvAZx4OM1+uR6Z10+LmPJCd5niscCGC6bj6m OFCoItiDsnMVvY6iSqqGa8LhxifhtRAqO0wDdJdPcO6eI6mkp/xh0BALWMsCo0NtQn6c NJ+4QwxMWaw+eFFmNMxrAEzUKXIQjvAJa/8aYubmpIOwz/BLsMsAmRgA9WFAUqxkZ3td UKvFYgwKQi/vPn2o1+712kImbPrd2Xo2uk83zDkpIptKl3EoE1Ee+FS0Gw6rCKds+1O5 /ttg==
X-Gm-Message-State: AODbwcBPd9xHOzGGREeVzH4rMGuKI8RoA1Nmk7eqmbhVoNz6V3jF4fGP CVq25BYWRAjC6oUj9hjDUroKlUno9w==
X-Received: by with SMTP id o68mr2712182lfc.96.1495245037890; Fri, 19 May 2017 18:50:37 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 19 May 2017 18:50:36 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Daniel Migault <>
Date: Fri, 19 May 2017 21:50:36 -0400
X-Google-Sender-Auth: Z_aAG5YdekuZc4X98FEDjqIT6dg
Message-ID: <>
To: denis bider <>
Cc: curdle <>
Content-Type: multipart/alternative; boundary="001a113c477455eed7054feadd00"
Archived-At: <>
Subject: Re: [Curdle] WG status and rsa-sha2 as public key algorithm
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 20 May 2017 01:50:43 -0000

Thanks Denis for the clarification on the mailing list. It seems the
proposed version reached consensus as none opposed for the last 12 days. If
you think otherwise, please mention it as soon as possible. I am planning
to move the draft forward next week for AD review..


On Sun, May 7, 2017 at 9:01 PM, denis bider <>

> Roumen and I have exchanged details over the weekend. My understanding now
> is as follows.
> *Server-side situation:*
> OpenSSH versions before 7.5 (such as 7.3) send the "server-sig-algs"
> extension, but they only use it to indicate support for "rsa-sha2-512" and
> "rsa-sha2-256". They do not include other public key algorithms that the
> server supports, even though the server will accept those algorithms if
> they are attempted.
> It is intended that the server should send a complete set of accepted
> public key algorithms. My understanding is that OpenSSH versions 7.5 and
> later do this. Bitvise SSH Server has always sent a complete list.
> *Client-side situation:*
> There exist clients which have problems with OpenSSH 7.3 behavior, and
> clients that don't.
> *Clients with explicit public key configuration.* Bitvise SSH Client does
> not have a problem with this behavior, because it does not use public keys
> opportunistically. Our SSH Client will use a public key to authenticate
> only if the key is explicitly configured by the user. It will use only the
> requested key, and not other keys that it may find in various places of
> storage.
> As a result, our SSH Client has no use for a hint from the server about
> which key types are OK to use. It already knows the key it's going to use.
> The question is what signature algorithm (now renamed "public key
> algorithm") to use with that key. For this purpose, the information sent by
> OpenSSH is sufficient, regardless of version. For RSA keys, the
> "server-sig-algs" extension provides the info. For non-RSA keys, there's
> only one algorithm possible anyway, so we use it.
> *Clients with opportunistic key search.* Other SSH clients, including
> OpenSSH and PKIXSSH (Roumen's work) do not require a public key to be
> explicitly configured in order to be used. Such clients perform an
> opportunistic search, and try to use any and all keys that might work that
> can be found in various places of storage. This includes the user's .ssh
> directory, keys available via the SSH agent protocol, and keys specified on
> the command line.
> These types of clients have a problem, because:
> - In OpenSSH versions 7.5 and higher, the client can use the list of
> algorithms sent in the server's "server-sig-algs" extension to narrow down
> the public keys it's going to try. If the server doesn't list ECDSA or DSA,
> for example, the client can take that as authoritative, and can exclude
> those keys from authentication. This is nice because it may involve trying
> fewer keys.
> - In OpenSSH version 7.3, the server will only send "rsa-sha2-256" and
> "rsa-sha2-512", even if the server also accepts ECDSA and other algorithms.
> This means the client needs to have explicit treatment to detect the
> OpenSSH protocol version. If the OpenSSH version is older than 7.5,
> "server-sig-algs" can still be used to enable the use of "rsa-sha2-XXXX"
> instead of "ssh-rsa", but it cannot be used to exclude non-RSA keys in
> authentication.
> *Options:*
> *(A) Rename extension.* Roumen has requested that we rename the
> "server-sig-algs" extension and make it clear that the server must send all
> algorithms it will accept.
> I think this is not the best thing to do for the following reasons:
> - There are multiple implementations of this extension which are not
> impacted by the OpenSSH 7.3 issue. These implementations would suffer from
> the rename.
> - Implementations that are impacted by the OpenSSH 7.3 issue may still
> have a requirement to interoperate with OpenSSH 7.5, as well as other
> servers that currently send "server-sig-algs" with a complete list of
> algorithms. For such implementations, renaming the extension is again not a
> fix, but a further complication.
> *(B) Workaround by clients that need it.* My suggestion is that clients
> that use opportunistic key search, and wish to interoperate with OpenSSH
> 7.3, should implement a compatibility workaround for the way
> "server-sig-algs" is sent by that version.
> I think this is the better solution for the following reasons:
> - There are multiple implementations which are already not affected by the
> issue, whether communicating with OpenSSH or between themselves. In this
> case, those implementations do not need to change anything.
> - The work required for clients with opportunistic key search is similar
> to the work required in above option A), *assuming *those clients want to
> interoperate with OpenSSH 7.5+ and other existing servers that send
> "server-sig-algs" with a complete list of algorithms.
> In addition, it appears the draft needs to be clarified to state:
> - The server SHOULD send a complete list of public key algorithms it will
> accept for user authentication.
> - The client MAY authenticate with a public key algorithm not included in
> the server's list.
> At this time, I will make this update to the draft.
> denis
> On Fri, May 5, 2017 at 4:15 AM, denis bider <>
> wrote:
>> Talking to Roumen off-list to gain a better understanding of his
>> implementation, and why it has trouble dealing with "server-sig-algs" sent
>> by OpenSSH versions before 7.5. Our implementation does not have trouble.
>> His implementation might though, perhaps due to different combinations of
>> supported algorithms, and/or a different design approach. Trying to
>> understand this better. Will post when I do.
>> On Fri, May 5, 2017 at 12:18 AM, denis bider <>
>> wrote:
>>> Although my below response was self-explanatory, it is not sufficient.
>>> It requires elaboration:
>>> - The extension being specified is already deployed in a variety of
>>> implementations, not only OpenSSH. (See [1] at bottom)
>>> - Since the draft thus far remains compatible with existing
>>> implementations, changing the name of the extension would break
>>> compatibility.
>>> - Breaking compatibility with existing implementations requires a
>>> substantive reason. I am currently not aware of a substantive reason to do
>>> this.
>>> - A problem in particular versions of a particular implementation is not
>>> a substantive reason. Idiosyncrasies of specific implementations are
>>> handled by others recognizing the SSH version string, not diverging the
>>> protocol.
>>> - It is not clear to me that the problem you reference in OpenSSH
>>> versions prior to 7.5 is a problem that needs to be addressed at this level.
>>> - In a previous message, Damien Miller, who is representative of OpenSSH
>>> in this forum, has expressed a preference to keep the same extension name.
>>> To be clear, the extension name is not one I'm overly happy with. In
>>> fact, I had changed the name of the extension from "server-sig-algs" to
>>> something more appropriate in an early version of the draft. However, by
>>> that time, another implementation already picked up "server-sig-algs".
>>> For this reason, I changed the spec back to "server-sig-algs". Although
>>> the name is not ideal, it is now in use; and the name being ideal is
>>> strictly less important than there being one identifier; and one identifier
>>> only; for the same concept, if reasonably possible.
>>> I stand by this decision, and think it's incorrect to modify the name at
>>> this time, unless the mechanics of the extension are changed in some way
>>> that's fundamental.
>>> [1] According to this excellent, but at this time slightly outdated
>>> comparison:
>>> ... implementations of rsa-sha2-*** public key algorithms include
>>> AsyncSSH, SmartFTP, and OpenSSH. Bitvise SSH Server and Client also support
>>> them, but this is not listed in the chart. This leads me to believe there
>>> may be other implementations also. I know that at least three of these
>>> implementations also implement the "server-sig-algs" extension under its
>>> current name.
>>> On Thu, May 4, 2017 at 11:12 PM, denis bider <>
>>> wrote:
>>>> > 10x for new versions.
>>>> You don't even have the decency to spell that.
>>>> > The name of extension "server-sig-algs" must be changed as well.
>>>> No fucking way. Fuck off.
>>>> On Thu, May 4, 2017 at 1:17 PM, Румен Петров <
>>>> > wrote:
>>>>> Hi denis,
>>>>> denis bider wrote:
>>>>>> Hello everyone,
>>>>>> in the interest of consensus, I have adopted the requested terminology
>>>>>> changes in the two drafts. What was previously "signature algorithm"
>>>>>> is now
>>>>>> "public key algorithm", and what was previously "public key
>>>>>> algorithm" is
>>>>>> now "public key format".
>>>>>> Please review and let me know.
>>>>> 10x for new versions.
>>>>> Main context of *draft-ietf-curdle-rsa-sha2-07.txt* is fine with me.
>>>>> I still think that chapter 4 IANA Considerations could be simplified
>>>>> to list only public key algorithm but this is not so important.
>>>>> The chapter refer to RFC4250 but section 7.1 Normative References lack
>>>>> reference to it. May be is good to list RFC4250 as well.
>>>>> No other remarks.
>>>>> About draft-ietf-curdle-ssh-ext-info-06.txt:
>>>>> The name of extension "server-sig-algs" must be changed as well.
>>>>> First because extension contain  abbreviation of signature in name
>>>>> (description is fine),
>>>>> second because existing implementation does not follow rules from
>>>>> RFC4250, section 4.6.1. "Conventions for Names" and
>>>>> third(!) due to broken OpenSSH implementation: " ...where SHA2 RSA
>>>>> signature methods were not being correctly advertised..." fixed in 7.5.
>>>>> [SNIP]
>>>>> Regards,
>>>>> Roumen Petrov
>>>>> _______________________________________________
>>>>> Curdle mailing list
> _______________________________________________
> Curdle mailing list