IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)

"Mark D. Baushke" <mdb@juniper.net> Mon, 17 July 2017 15:46 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80838131C73 for <curdle@ietfa.amsl.com>; Mon, 17 Jul 2017 08:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWcXEAdmzP1A for <curdle@ietfa.amsl.com>; Mon, 17 Jul 2017 08:46:10 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0131.outbound.protection.outlook.com [104.47.38.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AB6E12EC12 for <curdle@ietf.org>; Mon, 17 Jul 2017 08:46:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zzjPS5/xJ05zVzJ6iKsg1WU0sxsxTjQOBFWq2mta9Gg=; b=KjKRLoM2srB9acIXDb9aRAt/OvARvQFH/ybZ3+d3xi3jkPR6gkZzMn0h9qmXgVXCRQZeGq4fs5t99ZhmAsAyibSqRHrPOtmjaqfjGW5upJJr4ai+Y+ubmlGLls1jvvUm/SPWRAfk9j3MVm8DOcBGZCfTLCt89RLpMC/SPOC1vOw=
Received: from BN6PR05CA0003.namprd05.prod.outlook.com (10.174.92.144) by BY2PR05MB2312.namprd05.prod.outlook.com (10.166.112.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1282.4; Mon, 17 Jul 2017 15:46:07 +0000
Received: from DM3NAM05FT063.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e51::209) by BN6PR05CA0003.outlook.office365.com (2603:10b6:405:39::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1282.4 via Frontend Transport; Mon, 17 Jul 2017 15:46:06 +0000
Authentication-Results: spf=softfail (sender IP is 66.129.239.12) smtp.mailfrom=juniper.net; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=fail action=none header.from=juniper.net;
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender)
Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by DM3NAM05FT063.mail.protection.outlook.com (10.152.98.182) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.1261.15 via Frontend Transport; Mon, 17 Jul 2017 15:46:06 +0000
Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 17 Jul 2017 08:45:36 -0700
Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v6HFjZR6025578; Mon, 17 Jul 2017 08:45:35 -0700 (envelope-from mdb@juniper.net)
Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 8657411446; Mon, 17 Jul 2017 08:45:33 -0700 (PDT)
To: Tero Kivinen <kivinen@iki.fi>
CC: Russ Housley <housley@vigilsec.com>, curdle@ietf.org
In-Reply-To: <22892.44221.173699.599992@fireball.acr.fi>
References: <22892.35863.542104.942153@fireball.acr.fi> <A9F5E1BB-967B-4DA7-8E3D-7AE8CC06EA47@vigilsec.com> <22892.44221.173699.599992@fireball.acr.fi>
Comments: In-reply-to: Tero Kivinen <kivinen@iki.fi> message dated "Mon, 17 Jul 2017 15:25:33 +0300."
From: "Mark D. Baushke" <mdb@juniper.net>
Date: Mon, 17 Jul 2017 08:45:33 -0700
Message-ID: <82617.1500306333@eng-mail01.juniper.net>
Sender: mdb@juniper.net
MIME-Version: 1.0
Content-Type: text/plain
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39400400002)(39840400002)(39410400002)(39860400002)(39450400003)(39850400002)(2980300002)(199003)(189002)(9170700003)(50986999)(54356999)(76176999)(345774005)(2906002)(189998001)(48376002)(117636001)(230783001)(77096006)(2810700001)(76506005)(106466001)(5003940100001)(105596002)(53416004)(97876018)(86362001)(478600001)(4743002)(7126002)(47776003)(38730400002)(305945005)(110136004)(6266002)(6246003)(6916009)(2950100002)(5660300001)(7696004)(229853002)(55016002)(54906002)(53936002)(4326008)(8936002)(8676002)(356003)(81166006)(626005)(7846003)(6392003)(50466002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR05MB2312; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; MLV:sfv; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; DM3NAM05FT063; 1:TMQHldUosOP4PqS+p/zK1rtaDBVGOmwmdHbmtFz3bW4daQBRi6bV9PmgZ2f9eOsUvMm2G6PvSX48h10DxJLsrLuQiNxx0kBm7UBt13EVwh6+k9OtuwF6KPuuFpaAE+FquO8KCkc4Yo/H/iDQmawyWA832S1dMXcUPYuYx2awKW1gfAAW9RjuceOvILCpl0WzROFSMk8nQOti61/ArXoFqbk74WiCKAbEZvAf0HtWEXt05mVsb/VHRfoL9zs/qfbWUfQ0s6Qk8ONgkd8obrT7MQUowRd7Y3WRVMb5h37Wn3BnJf4isx5iiz+6tvQArm2vUi/GQWjUaSe1wFLyNtQ3pqXBtcXWMbyMEAE8HCHPOPFZQAnF4C8gm4WTNFWM3is5mf0vH4mvBIshMVXwVcIbra/IWbedmRIGcL96Vqe693347qtxDQsdkEIe5YdS4WGm2ro8zqVwJrMoajYWHbe28FjGBmgM+8GBbcOdCo9IRiG6RSInmxjjshaoMbed/jaKohHAy+RjvfzsIoMLYIQa3C+0tzgja1e2bmHLiJJhrYyR2aaiEjQZXhgnKI2MEYLQmz5Dz75royDnv8pI2HVrpewFlX/maxnW1lp2LtA2Q4RJwnlKA0AFN0497FYV18Dn/BfFzrt8W0eSBeeCFmb3l2SxPPa+OEUxt8dlAB8ywVj5QUnp09Bolvdnfwjx+giyVBPnhK4p6rznlDwz28AQ5iaQ5dYF+SY8mvn70XQNnnpIYQqQaT6veAQfTTNi3sWBbSVm5IedKWpp6FoU8VyGbUsWWM5+aFPxfW8g8umwjj971JvC/G+xncozaZq0zFwqNToYOxTuKu3hsaw367h0pKl9yjJture+CDefgw1Osdael0cYc4hhDykGkUWlHGeVLVdcoQS3J5qkKSv82IMvkQ==
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2cd04f95-f3f2-4519-0e00-08d4cd2af01c
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BY2PR05MB2312;
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2312; 3:DuwWiGC7BEzfJjsbisSK3vMzNbTheiLR7OGFDmpJdDj5O6kwlmSvWuS49EvWGX3J5K1diZ4zgs4tuIYSul9KtDZURp5uHJpj+niNehtK8r97loUeX1gxV4g7oSvY/i96yXYg75nBVu2vg/ey+vhi+jjNZlXGjq/iqC3Izt+AWBuWFI+IqOy2CTQlr7fbK53E6HbWBUyrCJPhGA0exvym4nWAzibKOWsTJQ07o4SVRQNZv0p42zw0+jleguhhJDl+xXvqOMR8R6CgvLvqch+WZy/If/UwPEbIq+yGdQdH6WFSfaFep+UVctZCnogV4bFp43tj4f2jyC1UoTGqDrf9gxEQpqqeqI3F1l54iKBB0aIHOWSntpY2SvHvZcjTY9LK9W/n9v7lZCPTY8pHgX5ZjPS/d7LdP9uglaDmJz5C4Q3dHY8SqDU/y6Na3oxsV7Ty+D9aLsNSU5QhCQh8zEda16i+wYXL9RMP0ASOU4OZCvZ43NxCUBPrH6blkNb4lAAbdHsNnrquuqH25dVIpo0gGeVaZc1cOYQT6rbJcxTQd97Ynp/e+hHC+PNKjXot+YLcUZnKlPyR5CoCWIOaUlmU9JurVAwK7aGtfHV0VtTpzZwmWgUayZDeVbFKBrExmrAK4FzLFlSuH15VE8oy81XDYZ0W1Y3tnvu1dKscW/mqM60xyq1GCkK64EOc9XmVmh62jfnjDNbOnP63Ael1f+drVIFvwe/u1kDyqN+SbZvQu2CLSBSvjtrESwYHcONU5Y2+4Lm2t2gnkpejnPpVp0/D6RqQzuXne0+I9zxKIlx3fqMzkXbEKx80VVFiDp137KQkSVCJe0i8hRvAnyMVYSk88HPuiOmsbWaq7X9WpyMCteav6svkPHMqCZ59KPETqLnw/w+O+dzMNDAFrHFffIaYOw==
X-MS-TrafficTypeDiagnostic: BY2PR05MB2312:
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2312; 25:zXcJ1fNE7/aB14h2iB+htSMWbu5tO5r+Y7stCzlhpd+fuMnrLBmHxCPrLDkrzdd0X5h5lZ0SG9H8vQAt599PMQi1qs6TwXQqhHlJeSaffU/Vxc3QAVVKSISBYb22wbVpr0sGTZG+g5RveEMX/i/QP36oC0ShL42YHPVDxMhMSaPki201HrK3r5F1Ejw5vGqv1BdNDpiB1WNLYqbauGpJ3nu5yHyQ5IDRvR1CI0hauBB1E0+WASYcxLIq+j8iD4PQX6YfMOLQlBYsmCQd3dYkhD7fhntMwnn2Lt8L9m6bEpOrRcKA5d1eHle/T0/tddtorze3Mrpnsw/mfNKjGgM2HUSh0Fad14FQlK5ixk9WI+Q2TPDM/Z8PCU3y/Zo6Ykd3NCNt2rbRnYeRTzK+NwsEQ8VKQMa8NCI22bO5855xVbys72885H3jjNd1diTa8LsIcSAxURFwjdtFEs8qpn2inxjMG9whQqaV+MGRF4IqB++zMJySkB8fh8U5CEwLxs9qtKhS1l5dcqRlKol/eRd97rXDKcPoto+RKPeucFz1OwTrxrMG//8VbQu1hHraci3ClsmtV169TQDbRYCxnIoMR+0QWzXANEM0EF5Pq1PPE7PsVED+7PIBoGQBt6TAmE/S5dq8YCb4RLvq2qRAYiVl8zhnygbvqpqv56nZMBfb5FPcxZ1YqLhN7oK8YiH7/bxML2/sUC94+FPmYFfw2C5QzbKbOH/no17D7KXELQTZ4SKSgZMwqzKbfeVnuGz2lJ3X6MGb3S6py/tNoRQ5yEzfEX6oRDFj9IqUn+7gXKZEz14Ddhc+fbpbf0ek2PjQxTx8VsI0k2sE+qdiZQowa2yV1ADYmsR2mN1bQ6KTmwmSYjH6Ac4iadtlN2eY+ERdDBNgmyssmx1atXyIM7p2rRncnFjckwoFpGtthFqEyNLV3HE=
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2312; 31:kdBPjDAFD/IDzW5qAgws7TpnTnE2vvZt1O7pyGUSTH+RWmVcxG/Nz/i+n6zZQSt25FExV4gQxg4WNFfZwhaF6YUHcfEMdTSdcBCSFKEG7EUplVNmt7VTYtcKnBVC8v70l+PmWWmPSfEfesuc8q8+8RBeGPwwYao08skqyP5XOA1nrt7Udadl0lMAqx6JeuRGbqU8B6idluvNzlm1BSJzqbSp1+4hNU3/WsukCadm0wnVARUpA4QTK22Kk3zLlhfU4gTO+CZ5jQS7tH/31Io/nNMoTfaY2KnpSQc5OSvMss3vJRNlmOjC3sfl4eJtP0xJ2MMG+BmcL67+/z6pVxDILgrWQFStGnS4LsfsWY/AL1mCvghn3FrewmX9Ltw852kUrrsnb5RnwIeOxG3QyBJz4o+BqpWxrO1GbJ/3bzz9+HBVwzdP0EEbld8gjlmcXUFu/xe+pROU4bw1jdN1UfdpScgt5TDqKwNMgRtelGEpB3LYFzv/yEXcD/s/wM8SrYxyTj7PGijJMW+FQNvbfNqY3FUwiiHe79C2Y2TWwygkXgIX0u5rJq3VYL6jTAK6O9pvJJb8AUzj9O4tcFcuwgnIq0vQKZrT6m1gOjOmcrKVDVAgxurA4vXPHz+7mqEhtAp7E5hiTITHFXZb/QPv3u5KdO7gapo8wdluwJuRseGvmLKU67Ve0QcFnPMDDQN/TH2DiEifHVn8MaYVzhYcIm0Z5Q==
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2312; 20:zw5VC/kv8Xn/YCOkWEr1lS09SJynxwjXOYVVVDjB9tA6/3B2SWJtpGz+bRC5dRfq7Abtt2tad/YPqYkU4dEYC1HZgiNROgfR4WS1xX/kl9WZykdUgNa/Jr5gBS+ZOVlK/84G4Xx8RrJ1E59NchswjwTYfKyL6ecxGOZKBRJSyBS1yYn7Ul9BQa44F0nuaxaclMWNhtdi+cm1S9lpVe4W0b3LAwwi+FliNpiMxR1qxWOXzrLD6hywI8vlXFsVGMFJpyHS8bblHAZdHZqiRnmz0L0ye6W9IvSLlAXmj2vu9VJRDPWANl/PrVNvtFvKe+5WLk/yN7Lxs4ugynjftYvi/tx2x07DZck9XeEiHswT0+/CD0Nyx9Q33/q2K+gm2vuneKQLT9U6B3ohvp3IGfu4oRVQ643IuvMiO03yBOcSffsNO9WpCw4cCVr9p2ViR2y4ckc+jcg+Zpx/Bel6ZXz0tn3+TmkIeR3aoVPt4OzzQOQVplj3L799uBElyRgqt+DA
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(236129657087228)(192374486261705)(209349559609743);
X-Microsoft-Antispam-PRVS: <BY2PR05MB2312FD8E8155F1DC847D15B7BFA00@BY2PR05MB2312.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(13018025)(13016025)(5005006)(2017060910075)(93006095)(93003095)(10201501046)(3002001)(100000703101)(100105400095)(6055026)(6041248)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123555025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BY2PR05MB2312; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BY2PR05MB2312;
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2312; 4:n+ZR6zdJ8ZkDZRTKFTwKxhExQJFZSItGh1jJNTzG4eYT+W6P3Pj/+AMdKn56nvbvxEUtoe6LMQudHOBDbe+YnAfaEeiVRwV75Z8cs6uIVBGUVLCx9ZmHXtmx7/VnvoOO1pQsaKEgz82kreS8xCutM1HWrFF1z7plHuCg5AiVnwX2ZsT29m1OKs7IOR5d4XsIuthhDQ0JMLZ59IrfTwg61zY3k6XqFEZGKdtV9P1S1nhLmMu9BM8oNoaVOjRa+XfWfsGnxC+FlVWCQVsy8+R1iwGgtb485QXpqwGKPXlWtRXbUAT7aqhAlsAJGYri2JGI9eb0XVSqM8uRkf7UrwjdqUkNI2I06jCZ8TLFOrGOfmOgVZ1D4q5S91h9Hcj4oggVNiMiF3ZYOdoG20pAHAEBkYxxn06rJTgMp2DINRxGMpUWplTMiQT6j5ZbQsL9nYZFme7djTNSpmOizKi6GpZG8rd+TMfA4Ujg1w/RApf4H6TAeX/Ko7jDRskTGbpIQWPLfH5G4FGcZomEkUCO/89MmoAa6EoBPcQ+M11xwDyJJEpeKtvSrEhEMJ3qEVPN2tp62r10iOShwa84IrTxFp5rAVz/08r8EWyJtzh2uxkYZgAyHW9MaNyGBCT0l3mNgaLo5XsIGTfKFo4xXyp9Cj13fUtOZqlO5ay/HRJYerQi3Z2SgqCwTIb16jZ83EJrlxedXQun2bVD7fmDop0buTKDRGusHVWv6ckzu97gTbrPz/ll62cmL5U+bNasLQYICg6wfuCA0aEttbXOr8tJMdLf5pMcJ3vlrKWKj05tA1sBrUx8/N1tirhVR3IEESy6nRQkKred9EX91MWh95X8xVcAcQpKJwi9BI7OMtR3deLwzzKsjTKgRr5RcZR3lrmvd5HsU83ZyREEYA/bhtkI07IAf8aFQfDN1V+tlQ+x0lxhWz1abTNmMImBB0Xqhebkp8TmMe+yVb8xloyqYBcHcxkinIqxb7wzh11dcyoDHdRGFbVgrwTCxab2wasCFIAo/8oo7VTbIQ/96hJG0G9MXpSraZNaD6DmCLEGlelUfi66wLAfSG3l3hrUSpI+GW6oJF7b3G8446XgRMI7JeKDP6mCspw3mKX0gMms74H6vRL8uC2xs+QlgHdUQc0Oi+aCBTl8dtxxArlRC193FYySPFJDB+k/9UZVUcMmopUilK1fdFpCuxPwsuCkreg4gwxgpE9b2o2SQs99WAfc46y85TGYusnhmKcSCHWarqDN7ROAlmnhxuy0u+5ap6JPO4vwn57GjIbDKsr6Y8KsMcxFuSyinLcfEiOM9v9amwv1KczgpqqKJZ2iGY1UXyMoayZNFwAJ+w/INKLtq0TsgkbFheZ9wPYR+nae0soQmsZm0VgQnWE=
X-Forefront-PRVS: 0371762FE7
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2312; 23:JlNwL+xBdsYqw4WFBzzH11CHl6RRWeuBvKeswD5T04r5SagtrJ1tDaOjFOZKDecRYiQEuhziriaWOR9A9DSRBjboNvw7GqhvRvnr2TXJsyeNNLg0rq2wizo8BK+/V+TYBh/JCGeDZ+vIG0s71C1ve/mnAL4U6+CAAfEreAzFOsnqiImYlaLOaED5iAnbfRuVy1n8tJUQm44x0V1jnHxKNd0JTYnMN+A54CPn6t30PUUSapQ1NhqRg8ZNQ5eX8DZyOFZnofgbdwDyrq9LTIyc1FfVb8UQlMEw545Ri4YJZxuNPEOHzooIEuDphjZsN03gwsezrXKDcDoiMovY8xHdvB+O/d4+5mN4bBq1RM0saC67FU64B8nWqxKqy5/InneIIEC8lQk/LylF5isNrTJCyft09eEC2/K7SejxhYlNs4jpySFsTacB66mAzGL3PlxVxRmCqS9E6YYqMt51E6UD/JOANSBIPJI6AU6pkn6XNu3EROiALLNh85PPX0S089aweymEmz07hkIRPNEjy8WnKDFSQ8b+HzyKDG5QyxrBixhFxZB6fPNHzViYi2wnX5OzijZf3zwJNS7aG8vA6zSpRcRGRfnCzE6xzqeRdleueU3CNzFvNcl9wYWa5RwC0RY3lHu15WS++3UUVyQ9JqBSgc89ImHuOdl2A51cer2zmy76e743SxLrQ8/JKxiXey/g7niZ52ZlZgjTOAcJiOfn0eMt9JXglH4zUZ4kywRiCX5pIk2sCXvm1KiVwf/YXo6ZpNYjigiGkC1Nwb6ZJds6PfZ/C+5JW60prqDQhFhn3ARAGT/aAzP05aZQ4MEXx6d0s0WuwY1H1JdqwLvQ7VuOu7pM9stllPLgeWrPfEYnXaCaz+UwauJv2LL/6rdOTjS1ZxPa55PdNovLY93VGD3ZT0nFscxwPN4mwQOdO6gJYPRw7rD/pBU05hlp65vCqyxFAD16i+47t+yiEZWloKJ1U++qUxbOFmPbwxFY2+yNrN7yJr85jsQxCZGFHyy2QgUzWObjxhciAueUrbDcaSt2UrodFy8XRL8m2piR93arOkZ+gpoOYuRABHXWwvOUo5UJxV5ERS4Y2GioyIMddmcgHBwkvirfps4gtHFSq+wvZIeh16v4yoqB+Ec0dbokeoGaaDrNCF9457x4S4HqfuLKEISelZkH6CevTguYwVNq/sMjuo95t7hMUyr4p8z3uHPmpunVD8RGcewbWDvUIFV4a+tQaCtkJFBtXlZltvEsgi+0EYVvY0wn62ugDUHe4g20Iqrs3KYLSzK6lQOehYxfnXfCb+i/RJeYLA8zwzNnclglvsxmjsRsWEjTSUx6FgaYw4gNWDN9/wVaYlyU0s/jPA==
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2312; 6:X4gIjzwyZH+kwV2rEqXgbwnK2pfk7KUeO8uRLZi3XUSdLcfrm3VcruMcvbjEl11p5wVlx9P2o4ow+7qXktuiaj+8UlF70DAf2dWF010qZBRRgH5Dsnn0Zs8ZKY6wLKYADljEClb9Foli6DaPEECzeuCDbWOGuhc606D1oWAMJTj9WhpDNi4pc8vfSJfM4irN3xXxsb9ro26ZkyF+XPs+ZlN598aofOX7p54+6uIIvA1FSJNb82ZWCbTUDSc9uhOXqmx+h2T7uuKaqP4SfWWsyEzSz9JSk7x6A2oLozat7EyhZDuqEtZzGGQEb/m0iCsV5p4NHPxhMjVLqRDYfOzCcrhIoYyJEoytPYYFs3l+DLIx0c8o2XsHHdNr8g/VEPh9JDh/tqjgUGULCRhTMf0JxI9KhlHrya+VG2uId2gV3jSEWNokxqd3q7ZS2hu+JeG7Emn1cett0MJymOumf10CENfeazF1RZgBNkgr8uVmBM6M0TllzJ/2Hxv3V3xmPQSIc8nMnAfVOeorBlGOVAFGLTnyppMlZu9F8fn5m85oGT6/pkBvtEF0Cs5OCk1oZ4aZGjL8nl9jioWSzBXVDMbNmoaQECsGCR7PDz6yEukPSXNnde0Pxg0LfDor1uo4VKzraTg3nlOXC2BU2nEk9ZZB5mAX4nc0NkV2IATViFBKtbiepZMOpPT7c6ay/nJp9NaM7MLc55JqCoz9S1dHnFFIw0sOwR7uTxAhTZRV+6kJPUYansL+DvlHYp721YJ9XXtsuv5sbb3gYOmgRb5SgXinRjr2pzjd4bikvFXZkQsDF2t7kVpq3FyR+JqeyU7MODom38shMgbCAN9FqI16DQ03vei3DlQJUNThfzy25RdK6MVQor7Cpa8SlSCITdNpNO/Mj7l4dNMXCmTuHl50u9VkLy+hV3B0L87LMh5oeaf+rIDxAX+OfbfJBJ9RsieB3cKcFBc1B+BKxg3ECy9OKyjod6XAm74n0DglIrBZxSJgF25dO2PDwLeKqmp3MIh1V5t1
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2312; 5:+ZLC6nmuoQEdV46Z3ZQEAe3daIcRGhAM8HGjasg6tn/WbSVjfq1PzHbtiN2eAiVR2wGGvqaXf8LxBWEl/pGsEeZu5n435lAEHEWmDgeQYYDOUMTxGFX4m41TlnLPcpfSVEXYrhV9QHSk2OBjAib9rUNbgBMkbgY4d4Q9oDyARzWVhH39Fs5VXaJY/SCU6IjomlozD7Rk0Cu3U1F/P4kyn8V/Ny0ZFkQfObZus3I6D1KQy/sShQxWYM1aOWfbhLwRW9KhZ1l/RKrSJ4Z3teMBtZzwwUuQVU+tPdWuVciDqHrnwhcCW2/bKklBLcVgmkAghQ9z5u0woHeCoPBpppwkJ+yU98iFj4TiPJUGjwKhndCEBb22v6OnLcJU0xqDLqarKzDJppiee7AB6X8NkHsXai4x4cXLcan5cw2IzNiiuag4Fs4mam6RnRF908RfV6CJkCyL7+iaQheDAh3pNWFWkVBO9f+dJkfcBgP2YVLlcbFtklNg5+iPPppIF9sQ9DfE; 24:BjhW0vavcvKA7UMCrR/p5TA6eZXT3IZzqvMGFc9HOz+qW+7fXnqeTpjMxZtH/hyvp+1WCcYcm6Q389gnJIW6IPCcE6iLRxCq5L2m6dRFoxo=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BY2PR05MB2312; 7:GpNRRDBrxQ9tf4PuPNUXPhFFkT0h1vc2IfacLXUgZ6MxssS9tYg6mzbzV/pv3LmpSdGtX3dcYvslvVWsh4hNS8XskuwYhbpGMJCxSFAKiLrQNLG62HWyhsPMBQbdIA1pTTW00a/x2pmTV+paRfdKM5rB0uSXbN9jeTeyvXxVIJlhsY8WHgk68ef6EW2N3fxZBcXddSu/WDEeIE9MsXdt/ekv4BlvrGGa8e7uEC3ONSZHtBZXIWcsFOpZYdQyNNT+YORb9Z4X6f0bp1XO8r1B5oEi8lgcMGTfxNYYl0/gKMhLDhxzwiJWty8A4C2dgxG3gH8d2xp8ydjgBKAYjwAPZigzQkkibW3Yk+Xl+/xcYVTnycB3/kLkY+CA5DmmO+qU3eUak/bQpV6s5WUfcICaed153qppZV6VWp1wowz6Wmb6CKKQIeABfyiO197P1w/+KDABACa3/oLjAwlxEmod+Ogjet0Po0dD023vqJbYtxgz7t0obyS8Q4wBAt2jGgjlxVyuR01+PZubbGLFzAjsGQ9CmY3WD/qc4Op3aWgPYy7vshePoQ2EskcaXF9KxX5eSurZ2UJSdsdIvi/5gsLbaYHmUlX6H/dqbd9KcZm2SQyLRE4TVlkLNEylteHmNGBUUuKtOYcNOtXckKJI9PIc3n2ATgE2K5Ci5Tn2PQL4Rzu4B5CPplIeaJX6orJDRUgP3zTjVi4VdVJhoV3MDUJuwWrhfD2nFKT1LBQbHHAQbQZl2zlnxeWbbOEhDzeEbPLQFhe+0q/b8XjO08w8d0CNbg6VXO/o5VwtTQw1Sfh2f4A=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jul 2017 15:46:06.3648 (UTC)
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR05MB2312
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/ZSI1aWwGOlAiCde9jLT8bmSEO-M>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 15:46:13 -0000

Tero Kivinen <kivinen@iki.fi> writes:

> Russ Housley writes:
> > I agree with Tero.  However, I like the use of SHOULD+ and MUST- to
> > signal to project and product planners what is coming.   

Thank you for the feedback.

> Actually it is much better to explain that kind of things in the
> actual text. For example:
> 
> 3.5.  diffie-hellman-group14-sha1
> 
>    This method uses [RFC3526] group14 (a 2048-bit MODP group) which has
>    no concerns.  This generated key exchange group uses SHA-1 which has
>    security concerns [RFC6194].  However, this group is still strong
>    enough and is widely deployed.  This method is being moved from MUST
>    to SHOULD- to aid in transition to stronger SHA-2 based hashes. This
>    method will transition to MUST NOT when SHA-2 alternatives are more
>    generally available.
> 
> 
> Gives much better information what to expect than SHOULD- in table.
> SHOULD+, SHOULD- were useful when we only had table of requirement
> levels. Now when we have the text about each algorithm explain the
> reasoning, those + and - characters are getting more and more
> meaningless.

If I add "SHOULD NOT-" to the list and move diffie-hellman-group1-sha1
to it with this text:

      This method uses [RFC7296] Oakley Group 2 (a 1024-bit MODP group)
      and SHA-1 [RFC3174]. Due to recent security concerns with SHA-1
      [RFC6194] and with MODP groups with less than 2048 bits
      [NIST-SP-800-131Ar1], this method is considered insecure. This
      method is being moved from MUST to SHOULD NOT- instead of MUST NOT
      only to allow a transition time to get rid of it. It should be
      removed from server implementations as quickly as possible.

> For example the SHOULD- is defined in section 2 to mean that this
> algorithm will be deprecated to MAY in future version, but in practice
> we quite often go from SHOULD- to SHOULD NOT (or even MUST NOT, as the
> text above suggests).

Does this change make more sense?

    SHOULD+      This term means the same as SHOULD. However, it is
                 likely that an algorithm marked as SHOULD+ will be
                 promoted at some future time to be a MUST.

    SHOULD-      This term means the same as SHOULD. However, an
                 algorithm marked as SHOULD- will be deprecated to a
		 MAY in a future version of this document.

    SHOULD NOT-  This term means the same as SHOULD NOT. However, an
                 algorithm marked as SHOULD NOT- will be deprecated to
		 a MUST NOT in a future version of this document.
       

> Anyways this is separate issue than wheter we should make
> implementations having code for diffie-hellman-group1-sha1
> non-conforming by publishing that implementations MUST NOT implement
> diffie-hellman-group1-sha1...

Okay. I can make this change later today.

I will probably also add the SHOULD NOT- unless there is strong
objection.

	-- Mark

v2.23.0 | Report a Bug | By Email