Re: Strange crypto choices

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



there are more implications to changing key algorithms than KEX
algorithms. If a change is made to the specification, then it might
invalidate all the keys that are out there, this isn't the case with
any other negotiated algorithm,


On Sun, 27 May 2018, Yegor Ievlev wrote:

> I don't think we should wait for a RFC in order to use stronger
> crypto. We already prefer Curve25519 for key exchange without waiting
> for it. So why wait for a RFC in this case?
> 
> On Sun, May 27, 2018 at 5:09 AM, Damien Miller <djm@xxxxxxxxxxx> wrote:
> > On Sat, 26 May 2018, Christian Weisgerber wrote:
> >
> >> On 2018-05-25, Yegor Ievlev <koops1997@xxxxxxxxx> wrote:
> >>
> >> > The defaults for HostKeyAlgorithms option are: [...]
> >> > Why does OpenSSH prefer older and less secure
> >> > (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519?
> >>
> >> I asked Markus and Damien about this in the past but honestly don't
> >> remember the answer.  Some of the potential reasons (lack of
> >> standardization, no DNS fingerprint, ...) seem to no longer apply.
> >> I've been wanting to hassle Markus and Damien about this again,
> >> once I run into them in person, but that opportunity hasn't presented
> >> itself yet.
> >
> > Yeah, there's no RFC for ed25519 keys yet. There's an I-D in progress at
> > https://tools.ietf.org/id/draft-ietf-curdle-ssh-ed25519-01.html
> >
> > Christian is right about our reasoning for the other choices.
> >
> > -d
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@xxxxxxxxxxx
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux