suggestion for new ssh maintenance wg (was: Re: [Curdle] SSH crypto updates / Re: Call for Adoption)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 14 January 2016 21:19 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 151851ACDF5 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 14 Jan 2016 13:19:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VeRAxTiRXFS for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 14 Jan 2016 13:19:33 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEBC81ACDF3 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 14 Jan 2016 13:19:33 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 99E8485E4A; Thu, 14 Jan 2016 21:19:32 +0000 (UTC)
Delivered-To: ietf-ssh@NetBSD.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 54C3E85DFD for <ietf-ssh@NetBSD.org>; Thu, 14 Jan 2016 21:19:24 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id ob0jAhzU-i1g for <ietf-ssh@netbsd.org>; Thu, 14 Jan 2016 21:19:23 +0000 (UTC)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 0B12684CEF for <ietf-ssh@NetBSD.org>; Thu, 14 Jan 2016 21:19:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3C56EBEC4; Thu, 14 Jan 2016 11:50:16 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8W0mAKlJz766; Thu, 14 Jan 2016 11:50:16 +0000 (GMT)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C6FB9BEB0; Thu, 14 Jan 2016 11:50:15 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1452772216; bh=htg7yfuVWh8fgjyXgQrtsCfmZduLIGFdyEJ0tplR6Hg=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=QsmyFZqbJnr1N4oUYrXhAH8+6rC8h7EzXEZ74wmNk0tdwX3kGeIxMKnMIS8pLXSBB B9sHg3hgNL8p2eCfPoOAn6tuu+5nOde1KUbii/jGyrT7uvzrWozSdZpiJ2o2DywmA/ zPpu50PxZr3a/eau3MJVD5KGm6FAjbxO6vPUqiOM=
Subject: suggestion for new ssh maintenance wg (was: Re: [Curdle] SSH crypto updates / Re: Call for Adoption)
To: ietf-ssh@NetBSD.org
References: <10640250-2692@skroderider.denisbider.com>
Cc: denis bider <ietf-ssh3@denisbider.com>, Watson Ladd <watsonbladd@gmail.com>, Daniel Migault <daniel.migault@ericsson.com>, Curdle Chairs <curdle-chairs@ietf.org>, mdb@juniper.net
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56978B77.8060204@cs.tcd.ie>
Date: Thu, 14 Jan 2016 11:50:15 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <10640250-2692@skroderider.denisbider.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
(Dropping the curdle list for just this question.) Hiya, Denis identified a few topics (below) where he figures there's scope for an ssh maintenance wg but where those topics don't clearly fit in the curdle wg. If there are other folks who'd like to see that work get done in an ssh maintenance wg then please say so on this list. And please say if you'd be willing to write documents or to review documents or if you'd be implementing. If you've another relevant topic please also respond with information (ideally a draft) about that. If you think such an ssh maintenance wg is a bad plan, please also do say that and why you think that. From my POV, I'd be happy to help such a wg be formed if there seems to be sufficient qualified support and folks likely to implement and victims^H^H^H^H^H^H^Hvolunteers to chair it:-) Cheers, S. PS: If a new ssh wg gets sufficient support, we can then figure out whether or not some of the stuff that does fit curdle could be better done in an ssh wg, but let's leave that aside for now and allow ssh work in curdle proceed without this process stuff slowing that down. PPS: Note that this could be short-lived wg that never needs to meet face-to-face, or maybe it'd not be like that, but don't get fussed about having to go to IETF meetings to get this work done - if it's maintenance then that may well not be needed. On 14/01/16 06:57, denis bider wrote: [... probably curdle relevant stuff deleted...] > This is an extension to SSH that's not directly crypto related, but > comes hand in hand with the new RSA signature algorithms - it's > infrastructure that allows for their efficient discovery without > incurring authentication penalties: > > Extension negotiation for SSH: > https://datatracker.ietf.org/doc/draft-ssh-ext-info > > In addition to the above, I very much agree that aes-gcm@openssh.com > needs standardization. > > I would welcome either all of the above being adopted by the Curdle > group; or else, a new WG being created specifically to perform > maintenance on SSH. > > Among other things, the erstwhile SSH working group never finalized > the SFTP spec due to lack of consensus. We now have two SFTP specs, > version 3 implemented by OpenSSH, and version 6 implemented by most > everyone else. > > It seems to me there's plenty of work that could be done by a new SSH > working group, if it were founded. If Curdle doesn't want to adopt > some of the above things, then these things would properly belong > into a new SSH working group. > > However, there isn't one, currently. > > denis > > > ----- Original Message ----- From: Watson Ladd Sent: Wednesday, > January 13, 2016 10:40 To: Daniel Migault Cc: mdb@juniper.net ; > Curdle Chairs ; Curdle ; ietf-ssh@NetBSD.org Subject: Re: [Curdle] > Call for Adoption > > On Wed, Jan 13, 2016 at 8:31 AM, Daniel Migault > <daniel.migault@ericsson.com> wrote: >> Hi, >> >> Thanks for the suggestion. I think it falls into the scope of the >> WG. >> >> The question I would have is whether it would make sense to extend >> the document to the crypto suites others than DH - i.e. encryption >> mac. This would result in a document providing cryptographic >> recommendations for SSH and have this document regularly updated >> as crypto evolves. Any opinion ? > > I'd prefer to prioritize the already deployed Curve25519 and Ed25519 > work over crypto recommendations which other groups can develop. We > also should consider aes-gcm@openssh.com to be added as this > addresses a corner case in the spec which makes AEAD complex. > >> >> BR, Daniel >> >> -----Original Message----- From: mdb@juniper.net >> [mailto:mdb@juniper.net] Sent: Wednesday, January 13, 2016 10:40 >> AM To: Curdle Chairs Cc: Curdle; ietf-ssh@NetBSD.org Subject: Re: >> [Curdle] Call for Adoption >> >> Hi, >> >> Over on the ietf-ssh@NetBSD.org list, Stephen Farrell suggested >> that I see if I could add >> >> https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2 >> >> under the curdle charter. >> >> The draft deprecates a Secure Shell (SSH) key exchange algorithm >> (Diffie-Hellman group1 - a 768-bit MODP group) and recommends >> replacement with stronger Diffie-Hellman MODP groups (groups 14, >> 15, 16). >> >> The draft does have two interoperable implementations that have >> implemented it. >> >> Does it fit well enough into the curdle charter to be added here? >> >> Thank you, -- Mark >> >> ------- forwarded message ------- From: Stephen Farrell >> <stephen.farrell@cs.tcd.ie> Date: Wed, 13 Jan 2016 10:34:05 +0000 >> Subject: Re: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group >> exchange) >> >> Hiya, >> >> On 13/01/16 09:21, Mark D. Baushke wrote: >>> Hi, >>> >>> URL: >>> https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2 >>> >>> I believe that OpenSSH and Dropbear SSH have both implemented >>> interoperable versions using the current 01 version at this point >>> in time. >>> >>> I would be interested in hearing if any other implementations >>> have adopted these new DH groups. >>> >>> Are there any additional comments or changes needed for the >>> draft before we can move to the next step in the process? >>> >>> Hmmm... What is next? Getting 'AD is watching' or is it getting >>> a document shepherd? >> >> There's no active SSH WG, but there is the curdle WG. Its charter >> [1] however is limited in terms of what it's allowed to add to >> protocols. OTOH, this is not defining any new groups, just updating >> codepoints, including deprecating one (to NOT RECOMMENDED). So the >> draft could fit there on that basis I guess. So I'd say send a mail >> to the curdle list and suggest this be adopted there. >> >> If that doesn't work I can look at AD sponsoring it, but since one >> of the reasons to setup curdle was to avoid too many of these being >> AD sponsored, please try there first. >> >> Cheers, S. >> >> [1] https://tools.ietf.org/wg/curdle >> >>> >>> Thank you, -- Mark >> >> _______________________________________________ Curdle mailing >> list Curdle@ietf.org https://www.ietf.org/mailman/listinfo/curdle > > > > > > _______________________________________________ Curdle mailing list > Curdle@ietf.org https://www.ietf.org/mailman/listinfo/curdle >
- suggestion for new ssh maintenance wg (was: Re: [… Stephen Farrell
- SSH crypto updates / Re: Call for Adoption denis bider
- Re: suggestion for new ssh maintenance wg Niels Möller