Thank you! Lionel
-----Message d'origine----- De : Ondřej Surý [mailto:[email protected]] Envoyé : vendredi 27 janvier 2012 14:47 À : Francis Dupont; MORAND Lionel RD-CORE-ISS; Peter Koch; Daniel Black Cc : Elwyn Davies; Stephen Farrell; [email protected]; [email protected]; [email protected] Objet : Updated draft-os-ietf-sshfp-ecdsa-sha2-06.txt Hi, since I have received many comments about this block: >> ECDSA public key fingerprints MUST use the SHA-256 algorithm >> for the fingerprint as using the SHA-1 algorithm would >> weaken the security of the key, which itself can use only >> SHA-2 family of algorithms RFC 5656 (Section 3.1.1). I have removed it from the draft version -06 and kept only the part in Implementation Considerations: 4.1. Support for SHA-256 fingerprints SSHFP-aware Secure Shell implementations SHOULD support the SHA-256 fingerprints for verification of the public key. Secure Shell implementations which support SHA-256 fingerprints MUST prefer a SHA- 256 fingerprint over SHA-1 if both are available for a server. If the SHA-256 fingerprint is tested and does not match the key SSH public key received from the SSH server key, then the key MUST be rejected rather than testing the alternative SHA-1 fingerprint. and Security Considerations Users of SSHFP are encouraged to deploy SHA-256 as soon as implementations allow for it. SHA-2 family of algorithms is widely believed to be more resilient to attack than SHA-1, and confidence in SHA-1's strength is being eroded by recently announced attacks [IACR 2007/474]. Regardless of whether or not the attacks on SHA-1 will affect SSHFP, it is believed (at the time of this writing) that SHA- 256 is the better choice for use in SSHFP records. I believe that now all concerns are solved, but I haven't got the review from secdir yet. O. -- Ondřej Surý vedoucí výzkumu/Head of R&D department ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ tel:+420.222745110 fax:+420.222745112 ------------------------------------------- _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
