IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2

Damien Miller <djm@mindrot.org> Tue, 13 September 2016 19:32 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2226612B037 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 13 Sep 2016 12:32:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.708
X-Spam-Level:
X-Spam-Status: No, score=-5.708 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QcLvipY46_MY for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Tue, 13 Sep 2016 12:32:28 -0700 (PDT)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B008312B01C for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Tue, 13 Sep 2016 12:32:28 -0700 (PDT)
Received: by mail.netbsd.org (Postfix, from userid 605) id 4F09385EB3; Tue, 13 Sep 2016 19:32:27 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id E556585EAB for <ietf-ssh@NetBSD.org>; Tue, 13 Sep 2016 19:32:25 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id sMWFbSOS-xYS for <ietf-ssh@netbsd.org>; Tue, 13 Sep 2016 19:32:25 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub2.soe.uq.edu.au [130.102.132.209]) by mail.netbsd.org (Postfix) with ESMTP id 1EEE585E40 for <ietf-ssh@NetBSD.org>; Tue, 13 Sep 2016 19:32:24 +0000 (UTC)
Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u8DJWHHZ048309; Wed, 14 Sep 2016 05:32:17 +1000
Received: from mailhub.eait.uq.edu.au (holly.eait.uq.edu.au [130.102.79.58]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u8DJWHhs024587 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Sep 2016 05:32:17 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTPS id u8DJWHOo009522 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Wed, 14 Sep 2016 05:32:17 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id 11389A4F2E; Wed, 14 Sep 2016 05:32:17 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id 0C9A1A4F07; Wed, 14 Sep 2016 05:32:17 +1000 (AEST)
Date: Wed, 14 Sep 2016 05:32:17 +1000 (AEST)
From: Damien Miller <djm@mindrot.org>
To: "Mark D. Baushke" <mdb@juniper.net>
cc: Curdle <curdle@ietf.org>, IETF SSH <ietf-ssh@NetBSD.org>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-modp-dh-sha2 & draft-ietf-curdle-ssh-kex-sha2
In-Reply-To: <38090.1473794513@eng-mail01.juniper.net>
Message-ID: <alpine.BSO.2.20.1609140531260.58455@natsu.mindrot.org>
References: <41049.1473653352@eng-mail01.juniper.net> <alpine.BSO.2.20.1609140340320.58455@natsu.mindrot.org> <38090.1473794513@eng-mail01.juniper.net>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.79.58
X-UQ-FilterTime: 1473795137
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

On Tue, 13 Sep 2016, Mark D. Baushke wrote:

> > IMO these two should be MAY. Most implementations don't support
> > GSSAPI key exchange at all.
> 
> Perhaps I need a paragraph like this one:
> 
>      If GSS-API methods are available, then the RFC4462 REQUIRED
>      gss-group14-sha1-* method SHOULD be retained for compatibility
>      with older Secure Shell implementations and the
>      gss-groups14-sha256-* method SHOULD be added as for "sha1".

Sounds good, and maybe with an asterisk or footnote marker next
to the SHOULD in the main list.

-d

v2.8.7 | Report a Bug | By Email