[secdir] Secdir last call review of draft-ietf-curdle-ssh-curves-09
Tobias Gondrom via Datatracker <noreply@ietf.org> Sun, 25 August 2019 11:21 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 553AE1200E3; Sun, 25 Aug 2019 04:21:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Tobias Gondrom via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: curdle@ietf.org, ietf@ietf.org, draft-ietf-curdle-ssh-curves.all@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.100.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Message-ID: <156673208322.31181.16685593489316726586@ietfa.amsl.com>
Date: Sun, 25 Aug 2019 04:21:23 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/mHhNK6_Ag7ybu8RkKP9ac2-JrXg>
Subject: [secdir] Secdir last call review of draft-ietf-curdle-ssh-curves-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Aug 2019 11:21:23 -0000
Reviewer: Tobias Gondrom Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready. This document describes how to implement key exchange based on Elliptic Curve Curve25519 (with SHA256) and Curve448 (with SHA512) in SSH. Note: the curve25519-sha256 key exchange is similar to the "curve25519-sha256@libssh.org" key exchange method implemented in libssh and OpenSSH. One thought: I am not cryptographer enough to give a proper recommendation as to the suitability of Curve448 with SHA-512. The reviews state that they would be similar, but with Curve448 not having received the same amount of cryptographic review. I am a bit cautious on assuming it would be good fallback in case Curve25519 would be considered weakened by cryptographic advances. Surely extending the hash to 512 can be helpful, but as both Curve448 and Curve25519 seem to rely on similar principles, the advances that might weaken 25519 might sooner or later also impact 448. Considering that 448 has not had so many reviews, I am not sure whether it is helpful to add it as a fallback. In case of new advances, 448 would have to be reviewed more closely before a general fallback would be recommended. This is only my personal view with limited background in cryptography. However, equally, it might be prudent to add 448 in this document now as it is and then schedule the deeper review once new breakthroughs are being discovered that weaken 25519. One minor spelling nits: section 5: ...but it is provided as an hedge/ but it is provided as a hedge Overall the draft is ready to go. Best regards, Tobias
- [secdir] Secdir last call review of draft-ietf-cu… Tobias Gondrom via Datatracker