Re: [Gen-art] review of draft-os-ietf-sshfp-ecdsa-sha2-04.txt

Fri, 27 Jan 2012 05:32:09 -0800 

On 15. 12. 2011, at 17:39, Francis Dupont wrote:

> I am the assigned Gen-ART reviewer for this draft. For background on 
> Gen-ART, please see the FAQ at 
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
> 
> Please resolve these comments along with any other Last Call comments 
> you may receive.
> 
> Document: draft-os-ietf-sshfp-ecdsa-sha2-04.txt
> Reviewer: Francis Dupont
> Review Date: 20111210
> IETF LC End Date: 20120103
> IESG Telechat date: unknown
> 
> Summary: Ready
> 
> Major issues: None
> 
> Minor issues: not a real issue but I am not convinced there is a real
> crypto reason to give up SHA-1. At the first view the attack against
> SSHFP is a pre-image one, but:
> - I leave the question to cryptographers of the security directorate
> - there are many not-crypto reasons to move from SHA-1 to SHA-256

Hi,

I have added some text there:

          ECDSA public key fingerprints MUST use the SHA-256 algorithm
          for the fingerprint as using the SHA-1 algorithm would
          weaken the security of the key, which itself can use only
          SHA-2 family of algorithms RFC 5656 (Section 3.1.1).

But I am also not a cryptographer, so it's just my guts telling me
that if a key is allowed to use only SHA-2, we should keep it in sync
here.

> - IMHO the 'OpenSSH' format is just the PEM format

I have added a reference to RFC 4716 there.

> - 3.2.1 page 4: this is the MUST I am not convinced by the justification
> (BTW I suggest to fix the justification if it is too wrong, and
>  to keep the MUST)

Well, I don't think I have received secdir review, I'll solve it there
if you don't mind.

> - 7 page 8: BTW I like the disclaimer:
>   ... Regardless of whether or not the attacks on SHA-1 will
>   affect SSHFP, it is believed (at the time of this writing) that SHA-
>   256 is the better choice for use in SSHFP records.

Well, thanks goes to authors of RFC 5702 :)

> [...]
All your other comments not mentioned here are fixed.

--
 Ondřej Surý
 vedoucí výzkumu/Head of R&D department
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:[email protected]    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------

_______________________________________________
Gen-art mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/gen-art

Reply via email to