Re: [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-sha2-06.txt
<lionel.morand@orange.com> Fri, 27 January 2012 17:33 UTC
Return-Path: <lionel.morand@orange.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1B7121F8599; Fri, 27 Jan 2012 09:33:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.649
X-Spam-Level:
X-Spam-Status: No, score=-5.649 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, J_CHICKENPOX_23=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tdLeZBGIPuEa; Fri, 27 Jan 2012 09:33:03 -0800 (PST)
Received: from p-mail2.rd.francetelecom.com (p-mail2.rd.francetelecom.com [195.101.245.16]) by ietfa.amsl.com (Postfix) with ESMTP id C008821F8579; Fri, 27 Jan 2012 09:33:02 -0800 (PST)
Received: from p-mail2.rd.francetelecom.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 3978F1074003; Fri, 27 Jan 2012 18:33:27 +0100 (CET)
Received: from ftrdsmtp2.rd.francetelecom.fr (unknown [10.192.128.47]) by p-mail2.rd.francetelecom.com (Postfix) with ESMTP id 2C4F4E303A2; Fri, 27 Jan 2012 18:33:27 +0100 (CET)
Received: from ftrdmel1.rd.francetelecom.fr ([10.192.128.40]) by ftrdsmtp2.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.4675); Fri, 27 Jan 2012 18:31:30 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Date: Fri, 27 Jan 2012 18:31:29 +0100
Message-ID: <B11765B89737A7498AF63EA84EC9F577011B12C1@ftrdmel1>
In-Reply-To: <A134B16E-B5E7-4F59-84E6-3A6B4D0EF46F@nic.cz>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Updated draft-os-ietf-sshfp-ecdsa-sha2-06.txt
Thread-Index: Aczc+iFaZ0JVKvyPQF6RAn+yVoHccQAHDDvg
References: <201201271218.q0RCIlXs009870@givry.fdupont.fr> <A134B16E-B5E7-4F59-84E6-3A6B4D0EF46F@nic.cz>
From: lionel.morand@orange.com
To: ondrej.sury@nic.cz, Francis.Dupont@fdupont.fr, pk@DENIC.DE, daniel.black@openquery.com
X-OriginalArrivalTime: 27 Jan 2012 17:31:30.0199 (UTC) FILETIME=[81696270:01CCDD19]
X-Mailman-Approved-At: Fri, 27 Jan 2012 09:34:01 -0800
Cc: gen-art@ietf.org, ops-dir@ietf.org, stephen.farrell@cs.tcd.ie, dns-dir@ietf.org, elwynd@googlemail.com
Subject: Re: [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-sha2-06.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2012 17:33:03 -0000
Thank you! Lionel -----Message d'origine----- De : Ondřej Surý [mailto:ondrej.sury@nic.cz] Envoyé : vendredi 27 janvier 2012 14:47 À : Francis Dupont; MORAND Lionel RD-CORE-ISS; Peter Koch; Daniel Black Cc : Elwyn Davies; Stephen Farrell; dns-dir@ietf.org; ops-dir@ietf.org; gen-art@ietf.org Objet : Updated draft-os-ietf-sshfp-ecdsa-sha2-06.txt Hi, since I have received many comments about this block: >> ECDSA public key fingerprints MUST use the SHA-256 algorithm >> for the fingerprint as using the SHA-1 algorithm would >> weaken the security of the key, which itself can use only >> SHA-2 family of algorithms RFC 5656 (Section 3.1.1). I have removed it from the draft version -06 and kept only the part in Implementation Considerations: 4.1. Support for SHA-256 fingerprints SSHFP-aware Secure Shell implementations SHOULD support the SHA-256 fingerprints for verification of the public key. Secure Shell implementations which support SHA-256 fingerprints MUST prefer a SHA- 256 fingerprint over SHA-1 if both are available for a server. If the SHA-256 fingerprint is tested and does not match the key SSH public key received from the SSH server key, then the key MUST be rejected rather than testing the alternative SHA-1 fingerprint. and Security Considerations Users of SSHFP are encouraged to deploy SHA-256 as soon as implementations allow for it. SHA-2 family of algorithms is widely believed to be more resilient to attack than SHA-1, and confidence in SHA-1's strength is being eroded by recently announced attacks [IACR 2007/474]. Regardless of whether or not the attacks on SHA-1 will affect SSHFP, it is believed (at the time of this writing) that SHA- 256 is the better choice for use in SSHFP records. I believe that now all concerns are solved, but I haven't got the review from secdir yet. O. -- Ondřej Surý vedoucí výzkumu/Head of R&D department ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
- [Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha… Francis Dupont
- Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa… Francis Dupont
- Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa… Ondřej Surý
- [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-sha2-… Ondřej Surý
- Re: [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-s… lionel.morand