On 2018-05-25, Yegor Ievlev <koops1997@xxxxxxxxx> wrote: > The defaults for HostKeyAlgorithms option are: [...] > Why does OpenSSH prefer older and less secure > (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519? I asked Markus and Damien about this in the past but honestly don't remember the answer. Some of the potential reasons (lack of standardization, no DNS fingerprint, ...) seem to no longer apply. I've been wanting to hassle Markus and Damien about this again, once I run into them in person, but that opportunity hasn't presented itself yet. > Also why are smaller key, curve and hash sizes preferred over bigger > ones? Reasonable trade-off between security and performance. > The default ciphers are: [...] > Why is CTR mode preferred over GCM? GCM performs poorly without hardware support for carry-less multiplication. > The default MACs are: [...] > Why is UMAC preferred over HMAC? UMAC is less widely known and does > not have as much research done on its security as HMAC. UMAC has a security proof and performs very well. -- Christian "naddy" Weisgerber naddy@xxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev