IETF Logo Mail Archive

Re: Feedback on draft-ssh-ext-info-00

denis bider <ietf-ssh3@denisbider.com> Sat, 05 December 2015 18:09 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 829411B2BA5 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 10:09:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yyLJf8EOb35k for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Sat, 5 Dec 2015 10:09:48 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBC0A1B2B87 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Sat, 5 Dec 2015 10:09:48 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 78FDB85F1C; Sat, 5 Dec 2015 18:09:21 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 2E70785F11; Sat, 5 Dec 2015 18:09:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 61F6985E9E for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 02:06:30 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 4OpZLYyiUT5J for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 02:06:29 +0000 (UTC)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id E0D2A85E57 for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 02:06:29 +0000 (UTC)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for pgut001@cs.auckland.ac.nz; Thu, 3 Dec 2015 02:06:28 +0000
Date: Thu, 03 Dec 2015 02:06:28 +0000
Subject: Re: Feedback on draft-ssh-ext-info-00
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Message-ID: <1637842921-3540@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-ssh3@denisbider.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Markus Friedl <mfriedl@gmail.com>, Damien Miller <djm@mindrot.org>
Cc: ietf-ssh@netbsd.org
Content-Type: multipart/alternative; boundary="=-X/P5WkkAij4BdLizwm+L"
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

Presence of "rsa-sha2-256" as a host key signature algorithm cannot reliably serve as an indicator for user authentication, because it requires the server to actually have an RSA host key.

The server might only have an ECDSA host key; but may still accept and prefer "rsa-sha2-256" signatures for client authentication.

Or the server might have an ECDSA host key, and NOT accept "rsa-sha2-256" for client authentication, but instead require "rsa-sha2-512".


----- Original Message -----
From: Peter Gutmann 
Sent: Wednesday, December 2, 2015 17:14
To: Markus Friedl ; ietf-ssh@netbsd.org 
Cc: Damien Miller 
Subject: RE: Feedback on draft-ssh-ext-info-00

Markus Friedl <mfriedl@gmail.com> writes:

>I'm in the process of implementing draft-rsa-dsa-sha2-256-03 and welcome a 
>way for signaling SHA2 support to the client for userauth,

Doesn't the presence of "rsa-sha2-256" do this?  The client proposes it, and
if the server supports it, they indicate via the algorithm string.  It's
pretty much independent of draft-ssh-ext-info-00 (I know it specifies
"server-sig-algs", but it seems that specifying "rsa-sha2-256" was already
sufficient to indicate this).

Peter.

v2.23.0 | Report a Bug | By Email