ietf
[Top] [All Lists]

Re: [saag] Fwd: Last Call: <draft-moonesamy-sshfp-ed25519-01.txt> (Using ED25519 in SSHFP Resource Records) to Informational RFC

2014-05-05 10:14:46
Dear colleagues:

I had a brief look at the draft document draft-moonesamy-sshfp-ed25519-01. Please find my comments below:

Section 1 & 2:
The paper [Ed25519] defines a set of signature algorithms, but also specifies a concrete instantiation Ed25519-SHA512 (see Section 2 of the paper). It is not clear whether the draft wants to use Ed25519-SHA512 or that scheme with another hash function. A disadvantage of using Ed25519-SHA512 is that this may require implementation of both SHA-256 and SHA-512 (witness Section 2 of the internet draft). Would it make sense to use, e.g., SHA-512/256 for fingerprinting instead of SHA-256 (or get rid of SHA-512, at the expense of having to tweak Ed25519 somewhat). Tweaking Ed25519 could be done as follows: for ephemeral private keys one can simply use as hash function SHA-256 (since the curve has very close to a power of two number of elements biases are close to zero, so Bleichenbacher-style attacks do not apply); instead of using SHA-512(k) use SHA-256(k,0) || SHA-256(k,1). The use of hash functions for generation of ephemeral and static private keys does not influence interoperability; only the choice of hash function for the Schnorr-style signing equation does, since affecting the signature component s.

Section 6.2:
Please replace the informative reference [Ed25519] <http://ed25519.cr.yp.to/ed25519-20110926.pdf> by the permanent reference [Ed25519] D. Bernstein, T. Lange, P. Schwabe, B-Y. Yang, High-Speed High-Security Signatures, J. of Cryptographic Engineering, Vol. 2, September 26, 2011.

Best regards, Rene

On 5/1/2014 11:02 AM, Stephen Farrell wrote:
FYI, this was discussed briefly here and has been
discussed on the old secsh (ssh) WG mailing list.

IETF LC has started.

S


-------- Original Message --------
Subject: Last Call: <draft-moonesamy-sshfp-ed25519-01.txt> (Using
ED25519 in SSHFP Resource Records) to Informational RFC
Date: Thu, 01 May 2014 07:57:35 -0700
From: The IESG <iesg-secretary(_at_)ietf(_dot_)org>
Reply-To: ietf(_at_)ietf(_dot_)org
To: IETF-Announce <ietf-announce(_at_)ietf(_dot_)org>


The IESG has received a request from an individual submitter to consider
the following document:
- 'Using ED25519 in SSHFP Resource Records'
   <draft-moonesamy-sshfp-ed25519-01.txt> as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2014-05-29. Exceptionally, comments 
may be
sent to iesg(_at_)ietf(_dot_)org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


    The Ed25519 signature algorithm has been implemented in OpenSSH.
    This document updates the IANA "SSHFP RR Types for public key
    algorithms" registry by adding an algorithm number for Ed25519.



The file can be obtained via
http://datatracker.ietf.org/doc/draft-moonesamy-sshfp-ed25519/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-moonesamy-sshfp-ed25519/ballot/


No IPR declarations have been submitted directly on this I-D.

Note that there is no current standardised format for the input
to the hash function here, but there are two implementations
of this so a codepoint is needed and useful. A standard public
key format is likely to be developed in future (but could take
some time) at which point it may make sense to assign another
codepoint, but there are no issues with codepoint scarcity here
so that seems like it will work given the implemeners seem ok
with it, even if its not ideal.






_______________________________________________
saag mailing list
saag(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/saag


--
email: rstruik(_dot_)ext(_at_)gmail(_dot_)com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

<Prev in Thread] Current Thread [Next in Thread>