Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha2-04.txt
Ondřej Surý <ondrej.sury@nic.cz> Fri, 27 January 2012 08:23 UTC
Return-Path: <ondrej.sury@nic.cz>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B283921F8550 for <gen-art@ietfa.amsl.com>; Fri, 27 Jan 2012 00:23:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FS8XKY76Ilyw for <gen-art@ietfa.amsl.com>; Fri, 27 Jan 2012 00:23:18 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id F104E21F8551 for <gen-art@ietf.org>; Fri, 27 Jan 2012 00:23:17 -0800 (PST)
Received: from [IPv6:2001:1488:ac14:1400:e0b7:7a23:933c:691b] (unknown [IPv6:2001:1488:ac14:1400:e0b7:7a23:933c:691b]) by mail.nic.cz (Postfix) with ESMTPSA id F353C2A2D0E; Fri, 27 Jan 2012 09:23:16 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1327652597; bh=/bhc9HJfluxbKSTmIIeKQGSn2HRvVrSQbrt8dTQ8GRE=; h=Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=CQUarV3OszDdU9oDVDTTtnFLGDAU4F2fJFui1hfv2LeO+8eCnh3+85W6VgKQBbLcb G3fhyVF+3Xh43R1F+8W2DK3wxYhiCiQBklweD5RoVinuHp09blAgEq//5a/yQ5o9xA wzF/nktU1tWF6pZO5+7UWiBSXOyd9EKIEflzHsFE=
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="utf-8"
From: Ondřej Surý <ondrej.sury@nic.cz>
In-Reply-To: <201112151639.pBFGdgjU071693@givry.fdupont.fr>
Date: Fri, 27 Jan 2012 09:23:16 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <7AAF5787-51FA-4046-93CA-50CA23E65E09@nic.cz>
References: <201112151639.pBFGdgjU071693@givry.fdupont.fr>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
X-Mailer: Apple Mail (2.1251.1)
X-Virus-Scanned: clamav-milter 0.96.5 at mail
X-Virus-Status: Clean
X-Mailman-Approved-At: Fri, 27 Jan 2012 05:32:03 -0800
Cc: gen-art@ietf.org, draft-os-ietf-sshfp-ecdsa-sha2.all@tools.ietf.org
Subject: Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha2-04.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2012 08:23:18 -0000
On 15. 12. 2011, at 17:39, Francis Dupont wrote:
> I am the assigned Gen-ART reviewer for this draft. For background on
> Gen-ART, please see the FAQ at
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
> Please resolve these comments along with any other Last Call comments
> you may receive.
>
> Document: draft-os-ietf-sshfp-ecdsa-sha2-04.txt
> Reviewer: Francis Dupont
> Review Date: 20111210
> IETF LC End Date: 20120103
> IESG Telechat date: unknown
>
> Summary: Ready
>
> Major issues: None
>
> Minor issues: not a real issue but I am not convinced there is a real
> crypto reason to give up SHA-1. At the first view the attack against
> SSHFP is a pre-image one, but:
> - I leave the question to cryptographers of the security directorate
> - there are many not-crypto reasons to move from SHA-1 to SHA-256
Hi,
I have added some text there:
ECDSA public key fingerprints MUST use the SHA-256 algorithm
for the fingerprint as using the SHA-1 algorithm would
weaken the security of the key, which itself can use only
SHA-2 family of algorithms RFC 5656 (Section 3.1.1).
But I am also not a cryptographer, so it's just my guts telling me
that if a key is allowed to use only SHA-2, we should keep it in sync
here.
> - IMHO the 'OpenSSH' format is just the PEM format
I have added a reference to RFC 4716 there.
> - 3.2.1 page 4: this is the MUST I am not convinced by the justification
> (BTW I suggest to fix the justification if it is too wrong, and
> to keep the MUST)
Well, I don't think I have received secdir review, I'll solve it there
if you don't mind.
> - 7 page 8: BTW I like the disclaimer:
> ... Regardless of whether or not the attacks on SHA-1 will
> affect SSHFP, it is believed (at the time of this writing) that SHA-
> 256 is the better choice for use in SSHFP records.
Well, thanks goes to authors of RFC 5702 :)
> [...]
All your other comments not mentioned here are fixed.
--
Ondřej Surý
vedoucí výzkumu/Head of R&D department
-------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
mailto:ondrej.sury@nic.cz http://nic.cz/
tel:+420.222745110 fax:+420.222745112
-------------------------------------------
- [Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha… Francis Dupont
- Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa… Francis Dupont
- Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa… Ondřej Surý
- [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-sha2-… Ondřej Surý
- Re: [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-s… lionel.morand