Re: [Curdle] Warren Kumari's No Objection on draft-ietf-curdle-ssh-curves-10: (with COMMENT)
Aris Adamantiadis <aris@badcode.be> Tue, 03 September 2019 16:42 UTC
Return-Path: <aris@badcode.be>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF07B1200D6; Tue, 3 Sep 2019 09:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NzdLlzZLydul; Tue, 3 Sep 2019 09:42:27 -0700 (PDT)
Received: from korell.badcode.be (korell.badcode.be [IPv6:2001:4b98:dc2:53:216:3eff:fe3d:8234]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43444120145; Tue, 3 Sep 2019 09:42:27 -0700 (PDT)
Received: from [192.168.128.199] (host-85-201-47-162.dynamic.voo.be [85.201.47.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by korell.badcode.be (Postfix) with ESMTPSA id 13D439E0AB; Tue, 3 Sep 2019 18:37:24 +0200 (CEST)
To: "Mark D. Baushke" <mdb@juniper.net>, Warren Kumari <warren@kumari.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-curdle-ssh-curves@ietf.org, Daniel Migault <daniel.migault@ericsson.com>, curdle-chairs@ietf.org, curdle@ietf.org
References: <156752357052.9594.7566059219592586096.idtracker@ietfa.amsl.com> <23919.1567526907@contrail-ubm16-mdb.svec1.juniper.net>
From: Aris Adamantiadis <aris@badcode.be>
Message-ID: <27bf18c7-7028-dc2a-54d6-2f98f98e7328@badcode.be>
Date: Tue, 03 Sep 2019 18:42:24 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <23919.1567526907@contrail-ubm16-mdb.svec1.juniper.net>
Content-Type: multipart/alternative; boundary="------------5AC2846DA9A862875B9D0F97"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Y_U89Zq8_rdmlPgBJ3dtTSCsE-o>
Subject: Re: [Curdle] Warren Kumari's No Objection on draft-ietf-curdle-ssh-curves-10: (with COMMENT)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 16:42:30 -0000
Hi Mark, Warren,
Le 03/09/2019 à 18:08, Mark D. Baushke a écrit :
> Hi Warren,
>
> Warren Kumari writes:
>> Mirja beat me to it with the questions re: the additional Copyright
>> text -- I'd *thought* I'd seen a reply to that mail, but cannot seem
>> to find it at the moment..
> My comment was that as I had not introduced the copyright section, I was
> not comfortable removing it without approval of the other two authors of
> this Draft. I have not yet heard from them on this topic. I have no
> objections to the removal myself.
I have no objection with removing this section. I did not introduce it.
>> Also:
>>
>> "An abort for these purposes is defined as a disconnect of the session
>> with an appropriate SSH "protocol error" for the fault provided to or
>> by the client. "
>>
>> Fair enough -- but would it be possible to point at where people can
>> go find out what the "appropriate SSH protocol error" is?
> Protocol error messages to abort are in Section 11.1 of RFC4253. and the
> most likely code would be SSH_DISCONNECT_KEY_EXCHANGE_FAILED (reason
> code 3).
I was going to suggest this.
This should at most be a SHOULD because the rest of the SSH specs (and
implementations) aren't very prescriptive on the error conditions. If we
had to pick one, I'd pick SSH_DISCONNECT_KEY_EXCHANGE_FAILED. We can
refer to RFC4253 11.1 on the process of disconnecting a peer, but that
looks already obvious in light of the rest of the protocol.
For reference, RFC5656 doesn't go further than this on handling kex
problems:
All elliptic curve public keys MUST be validated after they are
received. An example of a validation algorithm can be found in
Section 3.2.2 of [SEC1 <https://tools.ietf.org/html/rfc5656#ref-SEC1>]. If a key fails validation, the key exchange
MUST fail.
- [Curdle] Warren Kumari's No Objection on draft-ie… Warren Kumari via Datatracker
- Re: [Curdle] Warren Kumari's No Objection on draf… Mark D. Baushke
- Re: [Curdle] Warren Kumari's No Objection on draf… Aris Adamantiadis
- Re: [Curdle] Warren Kumari's No Objection on draf… Warren Kumari
- Re: [Curdle] Warren Kumari's No Objection on draf… Ron Frederick
- Re: [Curdle] Warren Kumari's No Objection on draf… Mark D. Baushke
- Re: [Curdle] Warren Kumari's No Objection on draf… Warren Kumari
- Re: [Curdle] Warren Kumari's No Objection on draf… Ron Frederick
- Re: [Curdle] Warren Kumari's No Objection on draf… Mark D. Baushke