Secure Shell (SSH) Key Exchange Method Using Hybrid Streamlined NTRU Prime sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512
draft-ietf-sshm-ntruprime-ssh-06
Yes
Deb Cooley
Erik Kline
No Objection
Andy Newton
Jim Guichard
Ketan Talaulikar
Mahesh Jethanandani
Abstain
Note: This ballot was opened for revision 04 and is now closed.
Deb Cooley
Yes
Erik Kline
Yes
Mohamed Boucadair
(was No Objection)
Yes
Comment
(2025-08-05 for -04)
Sent for earlier
Hi Markus, Jan, and Simon, Thank you for the effort put into documenting this. Thanks to Susan Hares for an early OPSDIR review of the individual draft. Special thanks to Job Snijders for the detailed write-up and description of the development of this document. I have one minor comment: # Consider citing a reference CURRENT: The variant sntrup761 instance has been implemented widely. Cheers, Med
Orie Steele
Yes
Comment
(2025-08-20 for -05)
Sent
# Orie Steele, ART AD, comments for draft-ietf-sshm-ntruprime-ssh-05 CC @OR13 * line numbers: - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-sshm-ntruprime-ssh-05.txt&submitcheck=True * comment syntax: - https://github.com/mnot/ietf-comments/blob/main/format.md * "Handling Ballot Positions": - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/ ## Comments ### SSH_DISCONNECT_KEY_EXCHANGE_FAILED: Why not MUST? I'm sure this has been discussed by the WG, but: ``` 134 keys Q_C or Q_S are not the expected lengths. An abort for these 135 purposes is defined as a disconnect (SSH_MSG_DISCONNECT) of the 136 session and SHOULD use the SSH_DISCONNECT_KEY_EXCHANGE_FAILED reason 137 for the message, see section 11.1 (Disconnection Message) of 138 [RFC4253]. No further validation is required beyond what is ``` Which other reason codes are appropriate for this? ### Ok to Implement? ``` 193 Since sntrup761x25519-sha512 is expected to offer no reduction of 194 security compared to curve25519-sha256, it is recommended that it is 195 used and preferred whenever curve25519-sha256 is used today, when the 196 extra communication size and computational requirements are 197 acceptable. ``` ``` 213 IANA is requested to add a new "Method Name" of 214 "sntrup761x25519-sha512" to the "Key Exchange Method Names" registry 215 for Secure Shell (SSH) Protocol Parameters [IANA-KEX] with a 216 "reference" field to this RFC and the "OK to implement" field of 217 "SHOULD". ``` The security considerations recommends "sntrup761x25519-sha512" over "curve25519-sha256" but the IANA guidance for both algorithms is "SHOULD". I've seen discussion of this topic on the lists. Per https://www.rfc-editor.org/rfc/rfc9142.html#section-3.1.3-4 ``` Table 8 lists algorithms as "SHOULD" where implementations may be more efficient or widely deployed. The items listed as "MAY" in Table 8 are potentially less efficient. ``` ... ``` Methods that are newer or considered to be stronger usually require more device resources than many administrators and/or developers need are to be allowed ("MAY"). (Eventually, some of these methods could be moved by consensus to "SHOULD" to increase interoperability and security.) Methods that are not "weak" and have implementation consensus are encouraged ("SHOULD"). There needs to be at least one consensus method promoted to a status of mandatory to implement (MTI). This should help to provide continued interoperability even with the loss of one of the now disallowed MTI methods. ``` If the working group believes that both methods are equally widely deployed and equally efficient, SHOULD seems correct to me. I don't see how a WG can conclude that a PQ/T hybrid will be more widely deployed or more efficient than one of its traditional algorithm components, but I am not an expert on SSH. I'd advise the WG to make this a "MAY", and to tackle clarifying the guidance this registry is trying to provide in a separate document. I'm not recommending MAY for any reason other than I had to read RFC 9142 to understand what "Ok to implement" means. The arguments raised regarding PQ migration and harvest now decrypt later are important. However, I do not believe they justify reading a column in a registry differently for hybrids, even if there is a some chance of a security benefit from doing so. ## Nits ### Acknowledgements before security considerations ``` 156 4. Acknowledgements ``` Typically this comes at the end of the document, although I noted that RFC4251 put contributors after the introduction.
Andy Newton
No Objection
Gorry Fairhurst
No Objection
Comment
(2025-08-14 for -04)
Sent
Thank you for documenting this an Informational I-D. It's a pity there is a normative reference to a PDF document, rather than an archived source, but for this particular, I-D I shall not worry about that.
Jim Guichard
No Objection
Ketan Talaulikar
No Objection
Mahesh Jethanandani
No Objection
Mike Bishop
No Objection
Comment
(2025-08-20 for -05)
Sent
The discussions around SHOULD/MAY have drawn a lot of attention, and I am surprised to see a SHOULD value here compared to the reasons given for other values in RFC9142. However, the distinction is small in practice -- it's not prohibited and not mandated. Thus, I don't see a reason to block further on that. In Section 1, should "The variant sntrup761 instance" be "The variant sntrup761" or "The sntrup761 instance"? Otherwise, I'm uncertain what a "variant instance" is in this context. I appreciate the acknowledgement that you've patterned this draft after RFC8731, but this doesn't seem to be useful information in the Introduction. You're already referencing that RFC extensively in the process of building a hybrid; it's unclear that this final statement in the Introduction adds anything. ===NITS FOLLOW=== Section 3: "procedure re-use" => "procedure re-uses"
Paul Wouters
(was Discuss)
No Objection
Comment
(2025-08-15 for -05)
Sent
Thanks for the discussion on my concerns and giving me the confidence on mlkem768x25519-sha256 getting the same OK-to-implement status and that the WG will work on updating the IANA SSH Registration Policies to align with the fact that there is an SSH WG now for future algorithm discussions. I have updated my ballot to No Objection.
Roman Danyliw
No Objection
Comment
(2025-08-21 for -05)
Sent
Thank you to Christer Holmberg for the GENART review
.
** Is there a better source for this critical normative reference – it is currently a personal website. Is there a DOI number?
[NTRUPrimePQCS]
Bernstein, D.J., Brumley, B. B., Chen,, M.,
Chuengsatiansup, C., Lange, T., Marotzke, A., Peng, B.,
Tuveri, N., Vredendaal, C. V., and B. Yang, "NTRU Prime:
round 3", WWW https://ntruprime.cr.yp.to/nist/ntruprime-
20201007.pdf, October 2020.
Éric Vyncke
Abstain
Comment
(2025-08-20 for -05)
Sent
Thanks for the hard work and the discussions on this I-D. Balloting an ABSTAIN rather than NoObjection as I have two reservations (see below) on this I-D in its current form but they are not DISCUSS worthy. Please note that for an informational draft, ABSTAIN is like a NoObjection regarding the IESG evaluation. My first issue is the third consensus call *during* the IESG evaluation, using an *unclear email subject*, with a duration of 4 days... At least, the 3rd consensus call confirmed the 2nd consensus. My second issue is more fundamental: this I-D specifies an algorithm that must be negotiated and *interoperable* between clients and servers, i.e., it should really be "standards track" and not "informational". The latter would have been OK in the ISE stream to document the "sn..512@openssh.com" but not the official IANA entry of "sn...512". Normal COMMENTS: Abstract: unsure whether the IETF can write `This document describes a *widely* deployed` without citing a reference (as it then seems like an advertisement for an implementation). Section 1: if this document is informational, then `This document *specifies* a hybrid construction` is not correct: it should use "describes" rather than "specifies". Section 3: s/Some earlier implementation may /Some earlier implementation*s* may / Section 4: who is the "we" in `We wish to thank` ? The authors (I guess)? the SSH WG ? the IETF ? Please be specific. Section 4: does the list after `who contributed` mean that the identified people are actual contributors (in the IETF sense == provided a lot of text ?).