Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha2-04.txt
Francis Dupont <Francis.Dupont@fdupont.fr> Fri, 27 January 2012 12:18 UTC
Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C64D21F84F3 for <gen-art@ietfa.amsl.com>; Fri, 27 Jan 2012 04:18:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivN62e4B+VrD for <gen-art@ietfa.amsl.com>; Fri, 27 Jan 2012 04:18:50 -0800 (PST)
Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) by ietfa.amsl.com (Postfix) with ESMTP id 8515E21F84EA for <gen-art@ietf.org>; Fri, 27 Jan 2012 04:18:50 -0800 (PST)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id q0RCIlXs009870; Fri, 27 Jan 2012 13:18:48 +0100 (CET) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201201271218.q0RCIlXs009870@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Ondřej Surý <ondrej.sury@nic.cz>
In-reply-to: Your message of Fri, 27 Jan 2012 09:23:16 +0100. <7AAF5787-51FA-4046-93CA-50CA23E65E09@nic.cz>
Date: Fri, 27 Jan 2012 13:18:47 +0100
Sender: Francis.Dupont@fdupont.fr
Cc: gen-art@ietf.org, draft-os-ietf-sshfp-ecdsa-sha2.all@tools.ietf.org
Subject: Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha2-04.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2012 12:18:51 -0000
In your previous mail you wrote: > > Minor issues: not a real issue but I am not convinced there is a real > > crypto reason to give up SHA-1. At the first view the attack against > > SSHFP is a pre-image one, but: > > - I leave the question to cryptographers of the security directorate > > - there are many not-crypto reasons to move from SHA-1 to SHA-256 > > Hi, > > I have added some text there: > > ECDSA public key fingerprints MUST use the SHA-256 algorithm > for the fingerprint as using the SHA-1 algorithm would > weaken the security of the key, which itself can use only > SHA-2 family of algorithms RFC 5656 (Section 3.1.1). => I am afraid it is another not-crypto reason... > But I am also not a cryptographer, => I am not a cryptographer too (I just worked with cryptographers, military cryptographers exactly, i.e., the worst kind of cryptographers :-) > so it's just my guts telling me > that if a key is allowed to use only SHA-2, we should keep it in sync > here. => the 2 ideas are: - keep the requirement (i.e., it is the right one and even there could be no good crypto reasons) - get a wording for the justification which doesn't make cryptographers too unhappy (they won't be really happy anyway: this is a part of being cryptographers :-) Of course for the second part the best should be to get a feedback from the crypto (oops, the security) directorate. Thanks Francis.Dupont@fdupont.fr
- [Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha… Francis Dupont
- Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa… Francis Dupont
- Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa… Ondřej Surý
- [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-sha2-… Ondřej Surý
- Re: [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-s… lionel.morand