[Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha2-04.txt

Francis Dupont <Francis.Dupont@fdupont.fr> Thu, 15 December 2011 16:39 UTC

Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B2F7C21F850E for <gen-art@ietfa.amsl.com>; Thu, 15 Dec 2011 08:39:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.191
X-Spam-Status: No, score=-2.191 tagged_above=-999 required=5 tests=[AWL=-0.192, BAYES_00=-2.599, J_CHICKENPOX_28=0.6]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id miJzVqEKkjmO for <gen-art@ietfa.amsl.com>; Thu, 15 Dec 2011 08:39:47 -0800 (PST)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) by ietfa.amsl.com (Postfix) with ESMTP id F1BDC21F8500 for <gen-art@ietf.org>; Thu, 15 Dec 2011 08:39:46 -0800 (PST)
Received: from givry.fdupont.fr (localhost []) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id pBFGdgjU071693; Thu, 15 Dec 2011 17:39:42 +0100 (CET) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201112151639.pBFGdgjU071693@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: gen-art@ietf.org
Date: Thu, 15 Dec 2011 17:39:42 +0100
Sender: Francis.Dupont@fdupont.fr
Cc: draft-os-ietf-sshfp-ecdsa-sha2.all@tools.ietf.org
Subject: [Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha2-04.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2011 16:39:47 -0000

I am the assigned Gen-ART reviewer for this draft. For background on 
Gen-ART, please see the FAQ at 

Please resolve these comments along with any other Last Call comments 
you may receive.

Document: draft-os-ietf-sshfp-ecdsa-sha2-04.txt
Reviewer: Francis Dupont
Review Date: 20111210
IETF LC End Date: 20120103
IESG Telechat date: unknown

Summary: Ready

Major issues: None

Minor issues: not a real issue but I am not convinced there is a real
crypto reason to give up SHA-1. At the first view the attack against
SSHFP is a pre-image one, but:
 - I leave the question to cryptographers of the security directorate
 - there are many not-crypto reasons to move from SHA-1 to SHA-256

Nits/editorial comments:
 - I'd like to get only the SHA-256 name and no variants, in particular
  no SHA256 (my idea is to always use the same name)

 - IMHO the 'OpenSSH' format is just the PEM format

 - IMHO the multi-line fingerprint in text RRs must be enclosed
  by parenthesis to be correctly parsed

 - 1 page 3: the abbrev RR should be introduced as soon as the term
 'resource record' is used

 - 1 page 3: ; and -> ;

 - 3.2.1 page 4: this is the MUST I am not convinced by the justification
 (BTW I suggest to fix the justification if it is too wrong, and
  to keep the MUST)

 - 7 page 7: software implementations -> implementations

 - 7 page 8: BTW I like the disclaimer:
   ... Regardless of whether or not the attacks on SHA-1 will
   affect SSHFP, it is believed (at the time of this writing) that SHA-
   256 is the better choice for use in SSHFP records.

 - 8.2 page 9: Di!erential -> Differential

 - Author's Address: CZ -> Czech Republic