IETF Logo Mail Archive

Re: [saag] Using ED25519 in SSHFP Resource Records - draft-moonesamy-sshfp-ed25519-00

Paul Wouters <pwouters@redhat.com> Mon, 24 February 2014 03:10 UTC

Return-Path: <pwouters@redhat.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88E9A1A07D3 for <saag@ietfa.amsl.com>; Sun, 23 Feb 2014 19:10:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.749
X-Spam-Level:
X-Spam-Status: No, score=-4.749 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQJGBRACIvtB for <saag@ietfa.amsl.com>; Sun, 23 Feb 2014 19:10:00 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id D0D461A07D0 for <saag@ietf.org>; Sun, 23 Feb 2014 19:09:59 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s1O39wqF024774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <saag@ietf.org>; Sun, 23 Feb 2014 22:09:58 -0500
Received: from bofh.nohats.ca (vpn-55-110.rdu2.redhat.com [10.10.55.110]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s1O39vMx006331 for <saag@ietf.org>; Sun, 23 Feb 2014 22:09:58 -0500
Message-ID: <530AB805.1060308@redhat.com>
Date: Sun, 23 Feb 2014 22:09:57 -0500
From: Paul Wouters <pwouters@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: saag@ietf.org
References: <6.2.5.6.2.20140204112023.0aec4c90@elandsys.com> <23AC0B40-66B5-468C-B96D-17B52F1F42A4@checkpoint.com> <530A45F8.1010202@cs.tcd.ie>
In-Reply-To: <530A45F8.1010202@cs.tcd.ie>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/T7-OPNZxUQ4_KSBlMCW-s4BRv7Q
Subject: Re: [saag] Using ED25519 in SSHFP Resource Records - draft-moonesamy-sshfp-ed25519-00
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2014 03:10:01 -0000

On 02/23/2014 02:03 PM, Stephen Farrell wrote:
> 
> Thanks for reviewing this Yoav.
> 
> SM's been (quite properly) hassling me to figure out what
> to do with his draft and I've been slow because I don't
> want to do something that turns out to be in conflict with
> whatever is done in TLS in particular.
> 
> I'd be interested in opinions as to whether that is a real
> problem or not.

I agree with Yoav that we really should not write new documents that specify SHA1.

Other small items regarding the draft:

	RFC 4255 [RFC4255] defines a new DNS resource record, "SSHFP",

I would remove the word "new". It just defines it. And I would argue that 2006 is not "new".

I would not mention client behaviour in section 2 introduction, but instead just define the new IANA entry and refer to RFC 4255 Section 2 for the usage policy.

I would also remove the introduction paragraph of section 3 and just refer back to 4255 using those last two lines.

Can this document also add an SSHFP Algorithm Number for ECDSA?

Can this document be changed to add the SHA2-256 fingerprint type in general for all algorithms? That way, the RSA and DSS defined Algorithm Numbers can also
switch from SHA1 to SHA2-256.

Paul

v2.23.0 | Report a Bug | By Email