Re: [Curdle] Warren Kumari's No Objection on draft-ietf-curdle-ssh-curves-10: (with COMMENT)
Aris Adamantiadis <aris@badcode.be> Tue, 03 September 2019 16:42 UTC
Return-Path: <aris@badcode.be>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF07B1200D6; Tue, 3 Sep 2019 09:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NzdLlzZLydul; Tue, 3 Sep 2019 09:42:27 -0700 (PDT)
Received: from korell.badcode.be (korell.badcode.be [IPv6:2001:4b98:dc2:53:216:3eff:fe3d:8234]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43444120145; Tue, 3 Sep 2019 09:42:27 -0700 (PDT)
Received: from [192.168.128.199] (host-85-201-47-162.dynamic.voo.be [85.201.47.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by korell.badcode.be (Postfix) with ESMTPSA id 13D439E0AB; Tue, 3 Sep 2019 18:37:24 +0200 (CEST)
To: "Mark D. Baushke" <mdb@juniper.net>, Warren Kumari <warren@kumari.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-curdle-ssh-curves@ietf.org, Daniel Migault <daniel.migault@ericsson.com>, curdle-chairs@ietf.org, curdle@ietf.org
References: <156752357052.9594.7566059219592586096.idtracker@ietfa.amsl.com> <23919.1567526907@contrail-ubm16-mdb.svec1.juniper.net>
From: Aris Adamantiadis <aris@badcode.be>
Message-ID: <27bf18c7-7028-dc2a-54d6-2f98f98e7328@badcode.be>
Date: Tue, 03 Sep 2019 18:42:24 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <23919.1567526907@contrail-ubm16-mdb.svec1.juniper.net>
Content-Type: multipart/alternative; boundary="------------5AC2846DA9A862875B9D0F97"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Y_U89Zq8_rdmlPgBJ3dtTSCsE-o>
Subject: Re: [Curdle] Warren Kumari's No Objection on draft-ietf-curdle-ssh-curves-10: (with COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 16:42:30 -0000
Hi Mark, Warren, Le 03/09/2019 à 18:08, Mark D. Baushke a écrit : > Hi Warren, > > Warren Kumari writes: >> Mirja beat me to it with the questions re: the additional Copyright >> text -- I'd *thought* I'd seen a reply to that mail, but cannot seem >> to find it at the moment.. > My comment was that as I had not introduced the copyright section, I was > not comfortable removing it without approval of the other two authors of > this Draft. I have not yet heard from them on this topic. I have no > objections to the removal myself. I have no objection with removing this section. I did not introduce it. >> Also: >> >> "An abort for these purposes is defined as a disconnect of the session >> with an appropriate SSH "protocol error" for the fault provided to or >> by the client. " >> >> Fair enough -- but would it be possible to point at where people can >> go find out what the "appropriate SSH protocol error" is? > Protocol error messages to abort are in Section 11.1 of RFC4253. and the > most likely code would be SSH_DISCONNECT_KEY_EXCHANGE_FAILED (reason > code 3). I was going to suggest this. This should at most be a SHOULD because the rest of the SSH specs (and implementations) aren't very prescriptive on the error conditions. If we had to pick one, I'd pick SSH_DISCONNECT_KEY_EXCHANGE_FAILED. We can refer to RFC4253 11.1 on the process of disconnecting a peer, but that looks already obvious in light of the rest of the protocol. For reference, RFC5656 doesn't go further than this on handling kex problems: All elliptic curve public keys MUST be validated after they are received. An example of a validation algorithm can be found in Section 3.2.2 of [SEC1 <https://tools.ietf.org/html/rfc5656#ref-SEC1>]. If a key fails validation, the key exchange MUST fail.
- [Curdle] Warren Kumari's No Objection on draft-ie… Warren Kumari via Datatracker
- Re: [Curdle] Warren Kumari's No Objection on draf… Mark D. Baushke
- Re: [Curdle] Warren Kumari's No Objection on draf… Aris Adamantiadis
- Re: [Curdle] Warren Kumari's No Objection on draf… Warren Kumari
- Re: [Curdle] Warren Kumari's No Objection on draf… Ron Frederick
- Re: [Curdle] Warren Kumari's No Objection on draf… Mark D. Baushke
- Re: [Curdle] Warren Kumari's No Objection on draf… Warren Kumari
- Re: [Curdle] Warren Kumari's No Objection on draf… Ron Frederick
- Re: [Curdle] Warren Kumari's No Objection on draf… Mark D. Baushke