The IESG has approved the following document: - 'Use of RSA Keys with SHA-256 and SHA-512 in Secure Shell (SSH)' (draft-ietf-curdle-rsa-sha2-12.txt) as Proposed Standard
This document is the product of the CURves, Deprecating and a Little more Encryption Working Group. The IESG contact persons are Kathleen Moriarty and Eric Rescorla. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-curdle-rsa-sha2/ Technical Summary This memo updates RFC 4252 and RFC 4253 to define new public key algorithms for use of RSA keys with SHA-2 hashing for server and client authentication in SSH connections. Working Group Summary One discussion point concerned the use of PSS signature. The WG consensus was that they were no plan to implement this, while pkcs1v1.5 does not present major flows, As a result, it was agreed to stay with pkcs1v1.5 for now. This has been clearly explained in section 5.3. Another discussion was related to draft-ietf-curdle-ssh-ext-info and interoperability between SSH implementation with that latest extension. The discussion is somehow unrelated to this draft except that the draft recommends the use of this extension so the client knows in advance the server supports the rsa-sha2-* public key algorithms. The motivation is that some servers implements a penalties when client use non supported public key algorithms. I do not think the discussion affects the current draft as: * the current draft only provides a recommendation of using draft-ietf-curdle-ssh-ext-info. * the current draft provides alternatives ( no penalties, using the new algorithms as default, ...). * the draft comments the transition to the new algorithms in section 5.2. Note that Roumen the implementer of PKIX-SSH raised the draft-ietf-curdle-ssh-ext-info issue and implement the current draft using the defined algorithms as default. (cf. release note of "25 Mar 2017 : Version x509-10.1" . """ new RSA key algorithms This version supports new public key algorithms: rsa-sha2-256 (default) and rsa-sha2-512. Client and agent will use them only if server announce them in one of extensions mentioned above. """ I also believe we have found consensus on the draft-ietf-curdle-ssh-ext-info draft. [1] http://roumenpetrov.info/secsh/index.html Document Quality >From the non up-to-date SSH implementation comparison [1], as well from the >author/implementer of the draft that the following SSH implementations >implement the draft: - Bitvise SSH Server and Client - OpenSSH - AsyncSSH - SmartFTP In addition, Romen the implementer of PKIX-SSH provided significant clarification of the document and the release note of "25 Mar 2017 : Version x509-10.1" suggests PKIX-SSH supports the current draft. [1] http://ssh-comparison.quendi.de/comparison/hostkey.html [2] http://roumenpetrov.info/secsh/index.html Personnel Daniel Migault is the document shepherd and Eric Rescorla is the Security Area Director.
