Skip to main content

Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits
RFC 8270

Yes

(Adam Roach)
(Alexey Melnikov)
(Eric Rescorla)

No Objection

Alvaro Retana
(Alia Atlas)
(Deborah Brungard)
(Terry Manderson)

Note: This ballot was opened for revision 05 and is now closed.

Warren Kumari Yes

Comment (2017-09-11 for -05)
Minor nit:

Section 2.  2048 bits DH Group
"It also suggests that in all cases, the size of the group needs be at least 1024 bits.This document updates [RFC4419] as described below:"
s/bits.This/bits. This/ (missing space).

Alvaro Retana No Objection

(Adam Roach; former steering group member) Yes

Yes (for -05)

                            

(Alexey Melnikov; former steering group member) Yes

Yes (for -05)

                            

(Ben Campbell; former steering group member) Yes

Yes (2017-09-13 for -05)
I share the questions about "SHOULD" vs "MUST".

- abstract: "insufficient against state-sponsored
   actors, and possibly an organization with enough computing resources"

Should "an" be "any"?  (Same question for section 2).

(Eric Rescorla; former steering group member) Yes

Yes (for -05)

                            

(Kathleen Moriarty; former steering group member) Yes

Yes (2017-09-13 for -05)
I do agree with Spencer, the text that is non-normative reads as if this is fully deprecating any recommendation below 2048, but then the normative text just says SHOULD.  Is there a reason this is not MUST?  I know deprecating things takes a long time.

(Mirja Kühlewind; former steering group member) Yes

Yes (2017-09-04 for -05)
1) Can you explain why the pre-5378 boilerplate is used? 

2) I guess RFC4419 should be a normative reference!

(Alia Atlas; former steering group member) No Objection

No Objection (for -05)

                            

(Benoît Claise; former steering group member) No Objection

No Objection (2017-09-13 for -05)
Sue, in her OPS DIR review, brought up a good point.
This document does not indicate whether it is wise for the operations system to log a report if it receives a less than 2048 bits.  
Would this enhance security or provide DoS attack surface.   If logging creates a DoS surface, it would be good to include this as operational advice.

(Deborah Brungard; former steering group member) No Objection

No Objection (for -05)

                            

(Spencer Dawkins; former steering group member) No Objection

No Objection (2017-09-12 for -05)
So, I see that the recommendations are mostly SHOULDs. 

Is this, perhaps, for backward compatibility with SSH implementations that don't implement this specification?

This isn't remotely something I'm smart about, but I do wonder about bid-down attacks to, say, 1024. Is that possible?

(Suresh Krishnan; former steering group member) No Objection

No Objection (2017-09-13 for -05)
RFC4419 specifies an example in Appendix A that uses a 1024 bit safe prime. Shouldn't this Appendix be updated by the draft as well?

(Terry Manderson; former steering group member) No Objection

No Objection (for -05)