Re: [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-sha2-06.txt

<> Fri, 27 January 2012 17:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C1B7121F8599; Fri, 27 Jan 2012 09:33:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.649
X-Spam-Status: No, score=-5.649 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, J_CHICKENPOX_23=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tdLeZBGIPuEa; Fri, 27 Jan 2012 09:33:03 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id C008821F8579; Fri, 27 Jan 2012 09:33:02 -0800 (PST)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 3978F1074003; Fri, 27 Jan 2012 18:33:27 +0100 (CET)
Received: from (unknown []) by (Postfix) with ESMTP id 2C4F4E303A2; Fri, 27 Jan 2012 18:33:27 +0100 (CET)
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Fri, 27 Jan 2012 18:31:30 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Date: Fri, 27 Jan 2012 18:31:29 +0100
Message-ID: <B11765B89737A7498AF63EA84EC9F577011B12C1@ftrdmel1>
In-Reply-To: <>
Thread-Topic: Updated draft-os-ietf-sshfp-ecdsa-sha2-06.txt
Thread-Index: Aczc+iFaZ0JVKvyPQF6RAn+yVoHccQAHDDvg
References: <> <>
To:,, pk@DENIC.DE,
X-OriginalArrivalTime: 27 Jan 2012 17:31:30.0199 (UTC) FILETIME=[81696270:01CCDD19]
X-Mailman-Approved-At: Fri, 27 Jan 2012 09:34:01 -0800
Subject: Re: [Gen-art] Updated draft-os-ietf-sshfp-ecdsa-sha2-06.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Jan 2012 17:33:03 -0000

Thank you!


-----Message d'origine-----
De : Ondřej Surý [] 
Envoyé : vendredi 27 janvier 2012 14:47
À : Francis Dupont; MORAND Lionel RD-CORE-ISS; Peter Koch; Daniel Black
Cc : Elwyn Davies; Stephen Farrell;;;
Objet : Updated draft-os-ietf-sshfp-ecdsa-sha2-06.txt 


since I have received many comments about this block:
>>           ECDSA public key fingerprints MUST use the SHA-256 algorithm
>>           for the fingerprint as using the SHA-1 algorithm would
>>           weaken the security of the key, which itself can use only
>>           SHA-2 family of algorithms RFC 5656 (Section 3.1.1).

I have removed it from the draft version -06 and kept only the part in
Implementation Considerations:

4.1.  Support for SHA-256 fingerprints

   SSHFP-aware Secure Shell implementations SHOULD support the SHA-256
   fingerprints for verification of the public key.  Secure Shell
   implementations which support SHA-256 fingerprints MUST prefer a SHA-
   256 fingerprint over SHA-1 if both are available for a server.  If
   the SHA-256 fingerprint is tested and does not match the key SSH
   public key received from the SSH server key, then the key MUST be
   rejected rather than testing the alternative SHA-1 fingerprint.

and Security Considerations

   Users of SSHFP are encouraged to deploy SHA-256 as soon as
   implementations allow for it.  SHA-2 family of algorithms is widely
   believed to be more resilient to attack than SHA-1, and confidence in
   SHA-1's strength is being eroded by recently announced attacks [IACR
   2007/474].  Regardless of whether or not the attacks on SHA-1 will
   affect SSHFP, it is believed (at the time of this writing) that SHA-
   256 is the better choice for use in SSHFP records.

I believe that now all concerns are solved, but I haven't got the review
from secdir yet.

 Ondřej Surý
 vedoucí výzkumu/Head of R&D department
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 tel:+420.222745110       fax:+420.222745112