Re: [Curdle] WG status and extension negotiation

Румен Петров <> Tue, 02 May 2017 18:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5281B129B5C for <>; Tue, 2 May 2017 11:10:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ax_3csX-RPMv for <>; Tue, 2 May 2017 11:10:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3B6CF129B7E for <>; Tue, 2 May 2017 11:07:03 -0700 (PDT)
Received: from [] (port=59826 helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <>) id 1d5cCR-0039rt-Vl for; Tue, 02 May 2017 21:06:59 +0300
Message-ID: <>
Date: Tue, 02 May 2017 21:07:00 +0300
From: =?UTF-8?B?0KDRg9C80LXQvSDQn9C10YLRgNC+0LI=?= <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0 SeaMonkey/2.30
MIME-Version: 1.0
To: curdle <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
Archived-At: <>
Subject: Re: [Curdle] WG status and extension negotiation
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 May 2017 18:10:08 -0000


I would like to split my comments in two parts.
First part is about extension negotiation 
(draft-ietf-curdle-ssh-ext-info-nn.txt) and subject of this email.

I'm author of PKIX-SSH secure shell implementation that support X.509 
certificate based publickey and hostbased algorithms.

Goal is to find way transparently to users to switch from legacy 
algorithms to rfc6187 one.
Legacy algorithms as defined  in draft-ietf-secsh-transport-12.txt (31 
Jan. 2002) are
- x509v3-sign-rsa and
- x509v3-sign-dss .
Algorithms that correspond to same key type defined in rfc6187 are
- x509v3-ssh-rsa and
- x509v3-ssh-dss .
Currently x509v3-rsa2048-sha256 ( rfc6187) is out of my scope.

Daniel Migault wrote:
> Hi,
> So far we have not received many inputs and I would like to make sure we
> understand Romen's concern. My understanding of the concerned raised by
> Romen is that specifying signature algorithms may complexity the ways
> Public Key Algorithm registries are designated.  However it looks to me one
> reason is that we are moving from implicit signature scheme to explicit
> ones.
> Romen please re-state your issues with the draft, clearly expose the issues
> as well as the alternate you would fine acceptable.

Let review be example following case - secure token (smart-card), RSA 
key and associated X.509 certificate.

Which publickey algorithm to in public key authentication without to 
probe all listed below?
- (1) x509v3-sign-rsa  (legacy)
- (2) x509v3-ssh-rsa  (rfc6187)
- (3) x509v3-rsa2048-sha256 (rfc6187 if applicable, perhaps will be 
implemented in PKIX-SSH)
- (4) ssh-rsa (rfc4253)
- (5) rsa-sha2-256 (upcoming)
- (6) rsa-sha2-512 (upcoming)

To find suitable algorithm we could use "software version" field (see 
rfc4253 4.2.  Protocol Version Exchange). This solution is possible but 
requires up-to date database with information for vendor, version and 
supported ssh features. For such solution maintenance cost is too high.

Another solution id peers to inform each other for supported 
functionality. So "extension negotiation mechanism"fail into this category.

Denis,  author of extension negotiation propose "server-sig-algs".

Until now ssh related documents define publickey algorithm - see 
rfc4252, chapter  7. Public Key Authentication Method: "publickey") and 
hostbased (same rfc) and format of key and signature in
with triplet :
(I) public key algorithm name in USERAUTH_REQUEST message (rfc4252)
(II) certificate or public key format identifier (rfc4253)
(III) signature format identifier (as specified by the public 
key/certificate format) (rfc4253)

For algorithms (1), (2) and (4) the triplet is :
(1) x509v3-sign-rsa  / --- (!?!) / x509v3-sign-rsa
(2) x509v3-ssh-rsa / x509v3-ssh-rsa / ssh-rsa
(4) ssh-rsa / ssh-rsa / ssh-rsa

As is visible identifier of signature algorithm overlap two publickey 

To avoid ambiguities in PKIX-SSH 10.1 I implement new extension (a) 
/""/ . Thus PKIX-SSH could list 
all algorithms from above (3* if implemented) as "public key algorithm 
name" in unique.
As of today client will chose algorithm (1) but in the near future 
(perhaps next version)  rfc6187 algorithm(2) will be preferred chose.

Extension (b) "server-sig-algs" is also announced by PKIX-SSH but with 
restriction - list only algorithms whose name match identifier of 
signature. This exclude automatically rfc6187 but could be used for 
compatibility with implementation like Bitvise and OpenSSH as they 
supports "algorithms whose name match identifier of signature".
In connection to those servers PKIX-SSH will chose algorithm (5).

In connection to server without extensions - client will try (1) and if 
not accepted (4).

Above is part of PKIX-SSH feature called "/adaptive public key algorithm 
selection"/ - an automatic process.

Manual configurations that impact /public key algorithm selection is out 
of scope to this mail ./

In conclusion : extension negotiation mechanism is valuable solution to 
resolve case above if propose an extension that allows in unique way to 
chose triplet for USERAUTH_REQUEST message.

> Yours,
> Daniel

Roumen Petrov