Re: [dns-dir] some comments on draft-os-ietf-sshfp-ecdsa-sha2-04.txt
Ondřej Surý <ondrej.sury@nic.cz> Wed, 04 January 2012 18:36 UTC
Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dns-dir@ietfa.amsl.com
Delivered-To: dns-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34D2821F87A1 for <dns-dir@ietfa.amsl.com>; Wed, 4 Jan 2012 10:36:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uivm4+DZzH6o for <dns-dir@ietfa.amsl.com>; Wed, 4 Jan 2012 10:36:41 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id 30A7821F879F for <dns-dir@ietf.org>; Wed, 4 Jan 2012 10:36:40 -0800 (PST)
Received: from [IPv6:2001:1488:ac14:1400:48b8:ae5c:60ce:4490] (unknown [IPv6:2001:1488:ac14:1400:48b8:ae5c:60ce:4490]) by mail.nic.cz (Postfix) with ESMTPSA id C87202A2AC2; Wed, 4 Jan 2012 19:36:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1325702199; bh=09ak+nCnWdbrdlgTUqi88/pokcMqZr5DD7IEwmX4LZo=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date: Content-Transfer-Encoding:Message-Id:References:To; b=W+qDAPZRlOi7/hJV+GrvRq8KaK5KuhWMreeTg99uUIlQ3En0nhY4jWH2VTbu4Uo8z BvR6tNuSX/r27mm3grHmiqyf02JpukNhHd//2KEf4qVRm9oOO/E95h8QqiY4qkBzyk KknFU4SCEl8cCPKvyiNiZTw1kFrmAd5KcI7DZqp8=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Apple Message framework v1251.1)
From: Ondřej Surý <ondrej.sury@nic.cz>
In-Reply-To: <20120104181709.GP13424@x27.adm.denic.de>
Date: Wed, 04 Jan 2012 19:36:39 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <251E43BE-CC2A-468C-8A46-3002BC5D5D3B@nic.cz>
References: <20120104181709.GP13424@x27.adm.denic.de>
To: Peter Koch <pk@DENIC.DE>, dns-dir@ietf.org
X-Mailer: Apple Mail (2.1251.1)
X-Virus-Scanned: clamav-milter 0.96.5 at mail
X-Virus-Status: Clean
X-Mailman-Approved-At: Tue, 10 Jan 2012 08:00:43 -0800
Subject: Re: [dns-dir] some comments on draft-os-ietf-sshfp-ecdsa-sha2-04.txt
X-BeenThere: dns-dir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNS directorate discussion list <dns-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-dir>
List-Post: <mailto:dns-dir@ietf.org>
List-Help: <mailto:dns-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 18:36:42 -0000
Hi Peter, thanks for the review. I am preparing new revision based on last call and area secretariates comments, so I'll merge your comments as well. I am starting to find how unbelievably hard is to add just two new numbers to IANA registry in IETF :). This draft will be soon in better shape than the one which actually did something (added support to SSH protocol). O. On 4. 1. 2012, at 19:17, Peter Koch wrote: > Hi Ondrej, > > i came across another review of <draft-os-ietf-sshfp-ecdsa-sha2-04.txt> > and would like to add some remarks. I've copied the DNS Directorate > for information. Not sure what the status of the draft is - the > datatracker confuses me by claiming 'wg document', but i do not see > which WG? Generally the draft looks like a good idea! > > To start with some formalities, the header and abstract claim the draft > updates RFC 4255. I would suggest it does not. It updates two IANA > registries defined and seeded by RFC 4255, but it does not (to my > reading) change any content of RFC 4255. If it were to update 4255, > it should probably adjust the registry policies from "IETF consensus" > as per RFC 2434 to "IETF Review" as per RFC 5226, but that's probably > for another venue to discuss. > > Second, the document aims at Standards Track and I do not see why. > An IETF/IESG reviewed RFC would be sufficient. Not saying it > should be less than ST, but what's the purpose here? Later serving > as normative reference? > > In section 3.2 the use of an ECDSA fingerprint is defined. I could > not find the description of the Fingerprint in RFC 5656. > Furtheron it reads > > ECDSA public key fingerprints MUST use the SHA-256 algorithm for the > fingerprint as using the SHA-1 algorithm would weaken the security of > the key. > > First, could the claim 'would weaken the security' be substantiated > (maybe by reference) a bit? Second, what is the consequence, i.e. > who is supposed to act on a violation? Is it the DNS implementation > (hard to achieve with 'transparent' RR types), the DNS operator or > the consuming entity? I would suggest to reverse the logic here and > only demand that a consuming party MUST ignore SHA-1 FPs for ECDSA. > > In 4.1, the SHA-256 fingerprint is introduced. The consuming entity > is advised "Secure Shell > implementations which support SHA-256 fingerprints MUST prefer a SHA- > 256 fingerprint over SHA-1 if both are available for a server. If > the SHA-256 fingerprint is tested and does not match the supplied > key, then the key MUST be rejected rather than testing the > alternative SHA-1 fingerprint." > > This assumes that both FPs are for the same key? Couldn't it happen that > the server offers an RSA and an ECDSA key, using SHA-1 for the former > and ECDSA for the latter? > > Nit: Add some text after the headline "5. Examples", e.g. > > The following examples provide reference for both the newly defined > ECDSA algorithm number and the use of the SHA-256 fingerprint > combined with both the new and the existing algorithm numbers. > > The examples refer to "OpenSSH format" without any reference. > > The references to the DNSSEC RFCs are probably informative only. > > Best regards, > Peter -- Ondřej Surý vedoucí výzkumu/Head of R&D department ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
- [dns-dir] some comments on draft-os-ietf-sshfp-ec… Peter Koch
- Re: [dns-dir] some comments on draft-os-ietf-sshf… Ondřej Surý
- Re: [dns-dir] some comments on draft-os-ietf-sshf… Ondřej Surý
- Re: [dns-dir] some comments on draft-os-ietf-sshf… Ralph Droms
- Re: [dns-dir] some comments on draft-os-ietf-sshf… Ondřej Surý