Re: [Curdle] Which curves are MUST and SHOULD ?
denis bider <denisbider.ietf@gmail.com> Tue, 05 January 2021 13:02 UTC
Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43A793A0C30 for <curdle@ietfa.amsl.com>; Tue, 5 Jan 2021 05:02:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AsYTaLo0dwG8 for <curdle@ietfa.amsl.com>; Tue, 5 Jan 2021 05:02:28 -0800 (PST)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AD333A0C18 for <curdle@ietf.org>; Tue, 5 Jan 2021 05:02:28 -0800 (PST)
Received: by mail-ot1-x333.google.com with SMTP id i6so29196866otr.2 for <curdle@ietf.org>; Tue, 05 Jan 2021 05:02:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KU5UF/dPIJoq+zrVgI2t2me6EKxOFCw3JQ+oVyAGJBY=; b=JlykA+XEnq1DmAmD2scCP/tTKyPZyVHwdsFxRfTJW5hQDuPffGIPkYsqGcnnw5VxS0 6M/cVcEZqsJyob9r4OGgrxlI9hT1JmSzd7mREepzMFPCwZEH/8KZ0frPF0Rd4a59S8RY FKfyqCQ4x8jbilZs3kk49heGTDzWjM1IVxWyBbmZJQ3l1qnOEAbsyiH8otCkNpTSmvCw DN7JPu2VEXMxwNdPTLk+2yotq/SF81UbD1zJt5kl+fBMgYIin6pSq94VY+3SQH1QlMFj dEq/Vo8RBD2V1OUtqo4uqZiBWc+gVM/6yKSEChK200nkCq1tI0gWIJjOBXOWrm2eeK96 Rtzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KU5UF/dPIJoq+zrVgI2t2me6EKxOFCw3JQ+oVyAGJBY=; b=j7KyHZMRklwLNnkjjyntEZWRzKxTe/Ac++mceiVDwreHyg8ylo+JuC9Gk7+PzVtlND 9IIYQuYdxwtp73q6mONSeXiUZ0MFsq1oNDF6gRe8t2ZoglCiRPfrNcYmBTe+ES++v9OG Wc8PmoAUdmMdR90b/xxh7BxVCIzlJS4xv1QkRVE8/DZ+nWKxyDvy5YzTr0VjpOwLptR1 fPVFS5F1BNPhZjA2dBqtTmMameE5OkU524WnqS2PTvzZf6vOqjHNzjKuoD/gK6IQob5G 02WdUuQa1lAGLd5b6aSksT9/djXzYLtE7jTFr2pLnnlQf9wtkwhqX33X8yzOb8DB2Je0 vBjQ==
X-Gm-Message-State: AOAM532Qk/2h+FGjvh1WcGYkIR46zbxrPB30Egl5NUCZxlF1wOoW9ZeP cJ4pSR3KQHdbMrgNYgApaAh9qlsMdSnoBVbBJ0dVhI9o
X-Google-Smtp-Source: ABdhPJwAnKe8uk0L1Jw9HuEJE12SKY14BySyyjST5hLxfJH2wz21qSk7bmn5Vff5OXcIQioBmZ4o2wKs4tXMdZDBshE=
X-Received: by 2002:a05:6830:1d66:: with SMTP id l6mr55440355oti.23.1609851747573; Tue, 05 Jan 2021 05:02:27 -0800 (PST)
MIME-Version: 1.0
References: <2CCABC30-F757-4659-9FF3-5AADDD51EE30@akamai.com> <4b681efd49274f03c7e0521e127e031426632ad0.camel@redhat.com> <CADZyTkk--kCWqE7q0Xi5C40V92MuZBktDzQGt_vPSZPiBy7v9w@mail.gmail.com> <18479.1606885358@eng-mail01.juniper.net> <20201205194724.GB64351@kduck.mit.edu> <37691.1607621661@eng-mail01.juniper.net> <1607647129866.76532@cs.auckland.ac.nz> <2917.1607672034@eng-mail01.juniper.net> <012AE120-2516-44F6-B729-ED342A137535@timeheart.net> <ED8F3B46-A5CC-4D14-A714-FD1C0AA67486@akamai.com> <12959BD6-F3AB-418B-8CE0-C3BE43999435@timeheart.net> <40887.1608233724@eng-mail03> <0f4dce32-b362-43d8-85e0-9608ca3427ab@redhat.com> <90135.1609791710@eng-mail03> <CADPMZDAb6Tcbiqi2UDrWOKzj5SQiSU-FOkqOjEELxiru--m8yw@mail.gmail.com>
In-Reply-To: <CADPMZDAb6Tcbiqi2UDrWOKzj5SQiSU-FOkqOjEELxiru--m8yw@mail.gmail.com>
From: denis bider <denisbider.ietf@gmail.com>
Date: Tue, 05 Jan 2021 07:02:16 -0600
Message-ID: <CADPMZDBwdv2d5ds_myvPpuMArz-yGBCh3NkvWNyQNpv_OYY2Vg@mail.gmail.com>
To: "Mark D. Baushke" <mdb=40juniper.net@dmarc.ietf.org>
Cc: Hubert Kario <hkario@redhat.com>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008e254c05b826d1fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/aQ49-HcqWSbNsTjPo8MiXm9HdXA>
Subject: Re: [Curdle] Which curves are MUST and SHOULD ?
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 13:02:30 -0000
Furthermore, in my experience dealing with users, you can generally expect: - Users think "SSH" is a misspelling of "SSL" - They're given a security requirement to disable old TLS versions, and they look into SSH server settings to achieve that - They think "SHA" is a signature algorithm - They don't know what "RSA" is or what "DH" does - They think they need to set up TLS certificates with SSH (which is possible, sure, but not needed or widely supported - our software still doesn't) These are users. Users might think "RFC" stands for "Request For Cake". denis On Tue, Jan 5, 2021 at 6:54 AM denis bider <denisbider.ietf@gmail.com> wrote: > It's not both. It is developers that are aware of RFCs. > > In my experience supporting users over 20 years, only a vanishing minority > of users are even aware of RFCs, and none read them. > > denis > > > On Mon, Jan 4, 2021 at 2:21 PM Mark D. Baushke <mdb= > 40juniper.net@dmarc.ietf.org> wrote: > >> Hubert Kario <hkario@redhat.com> writes: >> >> > On Thursday, 17 December 2020 20:35:24 CET, Mark D. Baushke wrote: >> > > Ron Frederick <ronf@timeheart.net> writes: >> > > >> > >> On Dec 15, 2020, at 8:09 AM, Salz, Rich <rsalz@akamai.com> wrote: >> > >>>> I’m not comfortable with algorithms going from REQUIRED to >> > >>>> SHOULD NOT without some kind of transitional period. My >> > >>>> suggestion would be to ease into this with SHOULD NOT for >> > >>>> now. If you want to discuss BCP in this draft, perhaps that >> > >>>> can be a separate section. >> > >>> >> > >>> We've done it before, MD5, short RSA/DH keys, etc. >> > >>> >> > >>> We shouldn't pretend that crypto-breaking advances haven't happened. >> > >>> >> > >>> Admins can make trade-offs anyway. >> > > >> > > I am under the impression that the audience here is the maintainers of >> > > SSHv2 software rather than the administrators that manage the sites >> > > using it. >> > >> > it's both >> >> Fair enough. >> >> Two kinds of stakeholders: a) "implementors" and b) "users" should mean >> more responses for the question. >> >> Okay. In the original RFC4253 specification both >> >> diffie-hellman-group1-sha1 >> and >> diffie-hellman-group14-sha1 >> >> were REQUIRED key exchanges. >> >> The group1 parameters in RFC4253 point to the 1024-bit MODP Second >> Oakley Group given in RFC2409 section 6.2 and RFC2412 section E.2. >> >> There are two issues with diffie-hellman-group1-sha1: 1) recent >> estimages are that it has roughly 80 bits of security strength, and 2) >> it uses SHA1 for hashing which is considered weak. >> >> If we choose "MUST NOT" for this key exchange, then we are going from >> "MUST" to "MUST NOT" which could be a hardship for low-end devices >> unable to run calculations to generate a shared secret using a larger >> MODP group if support is completely removed. >> >> If we choose "SHOULD NOT", then it is hoped that most implementors would >> default to not configuring this option by default, but may provide it >> for enviornments that need it. >> >> If we choose "MAY", then it is not certain if implementors or users will >> do much of anything different and this potentially insecure key exchange >> may continue to be used even when it may be a hazard to those that >> desire a more secure by default system. >> >> Are you an SSH impelmentor or user or both? >> >> Implementor >> User >> Both >> >> I would like to get a straw vote for the six *sha1* related key >> exchanges. I am proposing that the rsa1024-sha1-* kex be a MUST NOT and >> that all of the others be a SHOULD NOT. >> >> 1. For diffie-hellman-group1-sha1 what is your vote? >> >> MUST -- current for RFC4253 >> SHOULD >> MAY >> SHOULD NOT -- proposed in the -13 draft >> MUST NOT >> >> 2. For diffie-hellman-group14-sha1 what is your vote? >> >> MUST -- current for RFC4253 >> SHOULD >> MAY -- proposed in the -13 draft >> SHOULD NOT >> MUST NOT >> >> 3. For diffie-hellman-group-exchange-sha1 what is your vote? >> >> MUST >> SHOULD >> MAY -- current for RFC4419 >> SHOULD NOT -- proposed in the -13 draft >> MUST NOT >> >> 4. For rsa1024-sha1 what is your vote? >> >> MUST >> SHOULD >> MAY -- current for RFC4432 >> SHOULD NOT >> MUST NOT -- proposed in the -13 draft >> >> 5. For gss-gex-sha1-* what is your vote? >> >> MUST >> SHOULD -- current for RFC4462 >> MAY >> SHOULD NOT -- proposed in the -13 draft >> MUST NOT >> >> 6. For gss-group1-sha1-* what is your vote? >> >> MUST >> SHOULD -- current for RFC4462 >> MAY >> SHOULD NOT -- proposed in the -13 draft >> MUST NOT >> >> You may direct your votes to the list or to the chairs and me. >> >> Be safe, stay healthy, >> -- Mark >> >> _______________________________________________ >> Curdle mailing list >> Curdle@ietf.org >> https://www.ietf.org/mailman/listinfo/curdle >> >
- [Curdle] Which curves are MUST and SHOULD ? Salz, Rich
- Re: [Curdle] Which curves are MUST and SHOULD ? Loganaden Velvindron
- Re: [Curdle] Which curves are MUST and SHOULD ? Simo Sorce
- Re: [Curdle] Which curves are MUST and SHOULD ? Daniel Migault
- Re: [Curdle] Which curves are MUST and SHOULD ? Mark D. Baushke
- Re: [Curdle] Which curves are MUST and SHOULD ? Benjamin Kaduk
- Re: [Curdle] Which curves are MUST and SHOULD ? Mark D. Baushke
- Re: [Curdle] Which curves are MUST and SHOULD ? Peter Gutmann
- Re: [Curdle] Which curves are MUST and SHOULD ? Ron Frederick
- Re: [Curdle] Which curves are MUST and SHOULD ? Mark D. Baushke
- Re: [Curdle] Which curves are MUST and SHOULD ? denis bider
- Re: [Curdle] Which curves are MUST and SHOULD ? Ron Frederick
- Re: [Curdle] Which curves are MUST and SHOULD ? Salz, Rich
- Re: [Curdle] Which curves are MUST and SHOULD ? Ron Frederick
- Re: [Curdle] Which curves are MUST and SHOULD ? Mark D. Baushke
- Re: [Curdle] Which curves are MUST and SHOULD ? Hubert Kario
- Re: [Curdle] Which curves are MUST and SHOULD ? Mark D. Baushke
- Re: [Curdle] Which curves are MUST and SHOULD ? Daniel Migault
- Re: [Curdle] Which curves are MUST and SHOULD ? Simo Sorce
- Re: [Curdle] Which curves are MUST and SHOULD ? Mark D. Baushke
- Re: [Curdle] Which curves are MUST and SHOULD ? Ron Frederick
- Re: [Curdle] Which curves are MUST and SHOULD ? Ron Frederick
- Re: [Curdle] Which curves are MUST and SHOULD ? denis bider
- Re: [Curdle] Which curves are MUST and SHOULD ? denis bider
- Re: [Curdle] Which curves are MUST and SHOULD ? Hubert Kario
- Re: [Curdle] Which curves are MUST and SHOULD ? Simo Sorce
- Re: [Curdle] Which curves are MUST and SHOULD ? denis bider
- [Curdle] Straw Poll still in progress for draft-i… Mark D. Baushke
- Re: [Curdle] Straw Poll still in progress for dra… denis bider
- Re: [Curdle] Straw Poll still in progress for dra… Daniel Migault
- Re: [Curdle] Straw Poll still in progress for dra… Mark D. Baushke
- Re: [Curdle] Straw Poll still in progress for dra… Loganaden Velvindron
- Re: [Curdle] Straw Poll still in progress for dra… Mark D. Baushke