Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)

["Mark D. Baushke" <mdb@juniper.net>]

Hi Tero,

Tero Kivinen <kivinen@iki.fi> writes:

> I think it is bad idea to go from MUST to implement algorithm to MUST
> NOT implement in one step. Especially as this will make all current
> ssh implementations non-conforming as they do still implement
> diffie-hellman-group1-sha1 even when it might be disabled by default.

I see your point.

> We are defining here a MUST implement and MUST not implement, not MUST
> use and MUST NOT use recommendations.

For reference, there are five key exchanges that
draft-ietf-curdle-ssh-kex-sha2-08 marks as "MUST NOT"

          Key Exchange Method Name           Reference  Implement
          ---------------------------------- ---------- ---------
          diffie-hellman-group1-sha1         RFC4253    MUST NOT
          diffie-hellman-group-exchange-sha1 RFC4419    MUST NOT
          gss-gex-sha1-*                     RFC4462    MUST NOT
          gss-group1-sha1-*                  RFC4462    MUST NOT
          rsa1024-sha1                       RFC4432    MUST NOT

Of these, only diffie-hellman-group1-sha1 is moving from MUST to MUST
NOT. Due to 1024-bit Diffie-Hellman being considered by many as having
too little security (the same would be true of gss-group1-sha1-*).

What transition period is desirable for taking group1 "MUST" to "SHOULD
NOT" to "MUST NOT" ? Is it possible to codify both "SHOULD NOT" and 
"MUST NOT" time frames into one RFC?

While we are on the topic of this draft, let me point out that the
SHOULD- are on the way to SHOULD NOT and the SHOULD+ may be heading to
MUST. Do folks agree with these choices? They are really more of a guide
to best practices than they are to implementors who have already
implemented the older Key exchanges.

There are three which are marked as "SHOULD-" 

          Key Exchange Method Name           Reference  Implement
          ---------------------------------- ---------- ---------
          diffie-hellman-group14-sha1        RFC4253    SHOULD-
          ecdh-sha2-nistp256                 RFC5656    SHOULD-
          gss-group14-sha1-*                 RFC4462    SHOULD-

There are four that are marked as "SHOULD+" 

          Key Exchange Method Name           Reference  Implement
          ---------------------------------- ---------- ---------
          curve25519-sha256                  ssh-curves SHOULD+
          diffie-hellman-group16-sha512      new-modp   SHOULD+
          ecdh-sha2-nistp384                 RFC5656    SHOULD+
          gss-group16-sha512-*               gss-keyex  SHOULD+

The draft defines SHOULD+ and SHOULD- as:

    SHOULD+   This term means the same as SHOULD. However, it is likely
              that an algorithm marked as SHOULD+ will be promoted at
              some future time to be a MUST.
    SHOULD-   This term means the same as SHOULD. However, an algorithm
              marked as SHOULD- may be deprecated to a MAY in a future
              version of this document.

I have received one piece of private feedback that the IESG may not
want SHOULD- and SHOULD+ in this document.

	-- Mark