Re: [Curdle] Warren Kumari's No Objection on draft-ietf-curdle-ssh-curves-10: (with COMMENT)
Warren Kumari <warren@kumari.net> Tue, 03 September 2019 16:47 UTC
Return-Path: <warren@kumari.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86A1812013A for <curdle@ietfa.amsl.com>; Tue, 3 Sep 2019 09:47:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhWpMWsLpdf7 for <curdle@ietfa.amsl.com>; Tue, 3 Sep 2019 09:47:19 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B728120805 for <curdle@ietf.org>; Tue, 3 Sep 2019 09:47:19 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id i78so15146776qke.11 for <curdle@ietf.org>; Tue, 03 Sep 2019 09:47:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ccXq7j6yLgudlE03NX0eVlaXGfA909S/XWf/6NySvk8=; b=ikFFTUs0HFoPSuf1z9z4mW06KKHH+kPicku3ZdA1Sxjoj7ZB4a64RtJoxWrQ1L1OEv jeZYQDhEPZIhNzjBuL7HIJR6tHuwP50m8tPlQViotCfAR9iPZae3NQhNG6DLMMYdHiwr rD7NkV5v15GUD380djDXnYa/wfSwYTstSUTVRqAI6mSP5LlEePYGWv5+Vp1TaoNdcoK7 a4KCjj07OsOVYdJihhATPxo/fGv8AF0pN/myTD0RRv8uOWLaLaI0e8fmf8xD0UYUf3x0 wRXGCmgtBST77wmfkaXSIrzMp2jyGxvsjC56/7Fh7whKiJVFZB+T/Co48RJON1Uul8sI SCZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ccXq7j6yLgudlE03NX0eVlaXGfA909S/XWf/6NySvk8=; b=kAfJGxMVYoqYoq6o6wD7JHEbZhRo4U/vPRsMuKoNhFAOB3cTGIbPSLTwEkQYFMHCVt IL9X4Oy4OcTatUV5tGbRf5KEJNeUf5DF+83Y0LrVoQ0dnpn4BeyNto5kh70MtgDE2D4x c8RUDWgnnHpQ91auK0yYjV+fKCQnpFZzSxiyPO3E1khVxbP1kZguP5+aezrtq+mHOlZ0 Hu1z+eOrwHnN+ZBVaUOA42XUMWWVtnQyXfw6m8/9LPm88w7yWxpnAbcB5rwEbMa5MrY9 5WplhM/Rv4s1+KbirZof5Vge3C3pkxp/rWNkFAbV0v0ZriGCbhvIGwMMr9/khWIj6SVZ 0jng==
X-Gm-Message-State: APjAAAWJP5E3O1bvZ+d6KJCsrlVA6ovu5OBzKR4pQfCPwQcLvpxa97kU 8Pz2jDBxA0BAfFdJXpmbuAtikHxWMIHEBwLdyfQ+9g==
X-Google-Smtp-Source: APXvYqye5KYyv4IU1KX2k5w12IAnlMs0jMyKlTqhQusfLanrJoif/ishMvlpSxlyUUlw9SnUJs4/gissCMmOBh8YsZY=
X-Received: by 2002:a37:4d02:: with SMTP id a2mr35270895qkb.63.1567529237292; Tue, 03 Sep 2019 09:47:17 -0700 (PDT)
MIME-Version: 1.0
References: <156752357052.9594.7566059219592586096.idtracker@ietfa.amsl.com> <23919.1567526907@contrail-ubm16-mdb.svec1.juniper.net> <27bf18c7-7028-dc2a-54d6-2f98f98e7328@badcode.be>
In-Reply-To: <27bf18c7-7028-dc2a-54d6-2f98f98e7328@badcode.be>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 03 Sep 2019 12:46:41 -0400
Message-ID: <CAHw9_iJk8uMi=2iNJsyQOzixA6LjU6KvL0bs5y1qD0Frm_nxOw@mail.gmail.com>
To: Aris Adamantiadis <aris@badcode.be>
Cc: "Mark D. Baushke" <mdb@juniper.net>, The IESG <iesg@ietf.org>, draft-ietf-curdle-ssh-curves@ietf.org, Daniel Migault <daniel.migault@ericsson.com>, curdle-chairs@ietf.org, curdle@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/VgW7FInWhYUE9C7NCEj9ahlpE-g>
Subject: Re: [Curdle] Warren Kumari's No Objection on draft-ietf-curdle-ssh-curves-10: (with COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 16:47:24 -0000
On Tue, Sep 3, 2019 at 12:42 PM Aris Adamantiadis <aris@badcode.be> wrote: > > Hi Mark, Warren, > > Le 03/09/2019 à 18:08, Mark D. Baushke a écrit : > > Hi Warren, > > Warren Kumari writes: > > Mirja beat me to it with the questions re: the additional Copyright > text -- I'd *thought* I'd seen a reply to that mail, but cannot seem > to find it at the moment.. > > My comment was that as I had not introduced the copyright section, I was > not comfortable removing it without approval of the other two authors of > this Draft. I have not yet heard from them on this topic. I have no > objections to the removal myself. > > I have no objection with removing this section. I did not introduce it. > > Also: > > "An abort for these purposes is defined as a disconnect of the session > with an appropriate SSH "protocol error" for the fault provided to or > by the client. " > > Fair enough -- but would it be possible to point at where people can > go find out what the "appropriate SSH protocol error" is? > > Protocol error messages to abort are in Section 11.1 of RFC4253. and the > most likely code would be SSH_DISCONNECT_KEY_EXCHANGE_FAILED (reason > code 3). > > I was going to suggest this. > That'd work for me, or even something like "An abort for these purposes is defined as a disconnect of the session with an appropriate SSH "protocol error" (see Section 11.1 of RFC4253) for the fault provided to or by the client.", but I think your text is better... W > This should at most be a SHOULD because the rest of the SSH specs (and implementations) aren't very prescriptive on the error conditions. If we had to pick one, I'd pick SSH_DISCONNECT_KEY_EXCHANGE_FAILED. We can refer to RFC4253 11.1 on the process of disconnecting a peer, but that looks already obvious in light of the rest of the protocol. > > For reference, RFC5656 doesn't go further than this on handling kex problems: > > All elliptic curve public keys MUST be validated after they are > received. An example of a validation algorithm can be found in > Section 3.2.2 of [SEC1]. If a key fails validation, the key exchange > MUST fail. -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [Curdle] Warren Kumari's No Objection on draft-ie… Warren Kumari via Datatracker
- Re: [Curdle] Warren Kumari's No Objection on draf… Mark D. Baushke
- Re: [Curdle] Warren Kumari's No Objection on draf… Aris Adamantiadis
- Re: [Curdle] Warren Kumari's No Objection on draf… Warren Kumari
- Re: [Curdle] Warren Kumari's No Objection on draf… Ron Frederick
- Re: [Curdle] Warren Kumari's No Objection on draf… Mark D. Baushke
- Re: [Curdle] Warren Kumari's No Objection on draf… Warren Kumari
- Re: [Curdle] Warren Kumari's No Objection on draf… Ron Frederick
- Re: [Curdle] Warren Kumari's No Objection on draf… Mark D. Baushke