Last Call Review of draft-ietf-curdle-ssh-curves-09
review-ietf-curdle-ssh-curves-09-secdir-lc-gondrom-2019-08-25-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

The summary of the review is Ready.

This document describes how to implement key exchange based on Elliptic Curve
Curve25519 (with SHA256) and Curve448 (with SHA512) in SSH. Note: the
curve25519-sha256 key exchange is similar to the "curve25519-sha256@libssh.org"
key exchange method implemented in libssh and OpenSSH.

One thought: I am not cryptographer enough to give a proper recommendation as
to the suitability of Curve448 with SHA-512. The reviews state that they would
be similar, but with Curve448 not having received the same amount of
cryptographic review. I am a bit cautious on assuming it would be good fallback
in case Curve25519 would be considered weakened by cryptographic advances.
Surely extending the hash to 512 can be helpful, but as both Curve448 and
Curve25519 seem to rely on similar principles, the advances that might weaken
25519 might sooner or later also impact 448. Considering that 448 has not had
so many reviews, I am not sure whether it is helpful to add it as a fallback.
In case of new advances, 448 would have to be reviewed more closely before a
general fallback would be recommended. This is only my personal view with
limited background in cryptography. However, equally, it might be prudent to
add 448 in this document now as it is and then schedule the deeper review once
new breakthroughs are being discovered that weaken 25519.

One minor spelling nits:
section 5: ...but it is provided as an hedge/ but it is provided as a hedge

Overall the draft is ready to go.

Best regards, Tobias