Skip to main content

Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol
draft-ietf-curdle-rsa-sha2-12

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, ekr@rtfm.com, Daniel Migault <daniel.migault@ericsson.com>, curdle-chairs@ietf.org, curdle@ietf.org, daniel.migault@ericsson.com, draft-ietf-curdle-rsa-sha2@ietf.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'Use of RSA Keys with SHA-256 and SHA-512 in Secure Shell (SSH)' to Proposed Standard (draft-ietf-curdle-rsa-sha2-12.txt)

The IESG has approved the following document:
- 'Use of RSA Keys with SHA-256 and SHA-512 in Secure Shell (SSH)'
  (draft-ietf-curdle-rsa-sha2-12.txt) as Proposed Standard

This document is the product of the CURves, Deprecating and a Little more
Encryption Working Group.

The IESG contact persons are Kathleen Moriarty and Eric Rescorla.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-curdle-rsa-sha2/


Ballot Text

Technical Summary

This memo updates RFC 4252 and RFC 4253 to define new public key
  algorithms for use of RSA keys with SHA-2 hashing for server and
  client authentication in SSH connections.

Working Group Summary

One discussion point concerned the use of PSS signature. 
The WG consensus was that they were no plan to implement this,
while pkcs1v1.5 does not present major flows, As a result, it was 
agreed to stay with pkcs1v1.5 for now. This has been clearly explained in section 5.3.

Another discussion was related to draft-ietf-curdle-ssh-ext-info and
interoperability between SSH implementation with that latest extension. The 
discussion is somehow unrelated to this draft except that the draft recommends 
the use of this extension so the client knows in advance the server supports the 
rsa-sha2-* public key algorithms. The motivation is that some servers implements
 a penalties when client use non supported public key algorithms.  
I do not think the discussion affects the current draft as:
* the current draft only provides a recommendation of using  draft-ietf-curdle-ssh-ext-info.
* the current draft provides alternatives ( no penalties, using the new algorithms as default, ...).
* the draft comments the transition to the new algorithms in section 5.2.  

Note that Roumen the implementer of PKIX-SSH raised the draft-ietf-curdle-ssh-ext-info
issue and implement the current draft using the defined algorithms as default. 
(cf.  release note of "25 Mar 2017 : Version x509-10.1" .  

"""
new RSA key algorithms
This version supports new public key algorithms: rsa-sha2-256 (default) and rsa-sha2-512. 
Client and agent will use them only if server announce them in one of extensions mentioned
above.
"""

I also believe we have found consensus on the  draft-ietf-curdle-ssh-ext-info draft. 

[1] http://roumenpetrov.info/secsh/index.html


Document Quality

From the non up-to-date SSH implementation comparison [1], as well from the author/implementer of the draft that the following SSH implementations implement the draft: 
- Bitvise SSH Server and Client
- OpenSSH
- AsyncSSH
- SmartFTP

In addition, Romen the implementer of PKIX-SSH provided significant clarification of the document and the release note of "25 Mar 2017 : Version x509-10.1" suggests PKIX-SSH supports the current draft.  

[1] http://ssh-comparison.quendi.de/comparison/hostkey.html
[2] http://roumenpetrov.info/secsh/index.html


Personnel

Daniel Migault is the document shepherd and Eric Rescorla is the Security Area Director.

RFC Editor Note