Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits
draft-ietf-curdle-ssh-dh-group-exchange-06

Note: This ballot was opened for revision 05 and is now closed.

Ben Campbell Yes

Comment (2017-09-13 for -05)
I share the questions about "SHOULD" vs "MUST".

- abstract: "insufficient against state-sponsored
   actors, and possibly an organization with enough computing resources"

Should "an" be "any"?  (Same question for section 2).

Warren Kumari Yes

Comment (2017-09-11 for -05)
Minor nit:

Section 2.  2048 bits DH Group
"It also suggests that in all cases, the size of the group needs be at least 1024 bits.This document updates [RFC4419] as described below:"
s/bits.This/bits. This/ (missing space).

Mirja K├╝hlewind Yes

Comment (2017-09-04 for -05)
1) Can you explain why the pre-5378 boilerplate is used? 

2) I guess RFC4419 should be a normative reference!

Alexey Melnikov Yes

Kathleen Moriarty Yes

Comment (2017-09-13 for -05)
I do agree with Spencer, the text that is non-normative reads as if this is fully deprecating any recommendation below 2048, but then the normative text just says SHOULD.  Is there a reason this is not MUST?  I know deprecating things takes a long time.

Eric Rescorla Yes

Adam Roach Yes

Alia Atlas No Objection

Deborah Brungard No Objection

Benoit Claise No Objection

Comment (2017-09-13 for -05)
Sue, in her OPS DIR review, brought up a good point.
This document does not indicate whether it is wise for the operations system to log a report if it receives a less than 2048 bits.  
Would this enhance security or provide DoS attack surface.   If logging creates a DoS surface, it would be good to include this as operational advice.

Spencer Dawkins No Objection

Comment (2017-09-12 for -05)
So, I see that the recommendations are mostly SHOULDs. 

Is this, perhaps, for backward compatibility with SSH implementations that don't implement this specification?

This isn't remotely something I'm smart about, but I do wonder about bid-down attacks to, say, 1024. Is that possible?

Suresh Krishnan No Objection

Comment (2017-09-13 for -05)
RFC4419 specifies an example in Appendix A that uses a 1024 bit safe prime. Shouldn't this Appendix be updated by the draft as well?

Terry Manderson No Objection

Alvaro Retana No Objection