Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits
RFC 8270
Yes
No Objection
Note: This ballot was opened for revision 05 and is now closed.
Warren Kumari Yes
Minor nit: Section 2. 2048 bits DH Group "It also suggests that in all cases, the size of the group needs be at least 1024 bits.This document updates [RFC4419] as described below:" s/bits.This/bits. This/ (missing space).
Alvaro Retana No Objection
(Adam Roach; former steering group member) Yes
(Alexey Melnikov; former steering group member) Yes
(Ben Campbell; former steering group member) Yes
I share the questions about "SHOULD" vs "MUST". - abstract: "insufficient against state-sponsored actors, and possibly an organization with enough computing resources" Should "an" be "any"? (Same question for section 2).
(Eric Rescorla; former steering group member) Yes
(Kathleen Moriarty; former steering group member) Yes
I do agree with Spencer, the text that is non-normative reads as if this is fully deprecating any recommendation below 2048, but then the normative text just says SHOULD. Is there a reason this is not MUST? I know deprecating things takes a long time.
(Mirja Kühlewind; former steering group member) Yes
1) Can you explain why the pre-5378 boilerplate is used? 2) I guess RFC4419 should be a normative reference!
(Alia Atlas; former steering group member) No Objection
(Benoît Claise; former steering group member) No Objection
Sue, in her OPS DIR review, brought up a good point. This document does not indicate whether it is wise for the operations system to log a report if it receives a less than 2048 bits. Would this enhance security or provide DoS attack surface. If logging creates a DoS surface, it would be good to include this as operational advice.
(Deborah Brungard; former steering group member) No Objection
(Spencer Dawkins; former steering group member) No Objection
So, I see that the recommendations are mostly SHOULDs. Is this, perhaps, for backward compatibility with SSH implementations that don't implement this specification? This isn't remotely something I'm smart about, but I do wonder about bid-down attacks to, say, 1024. Is that possible?
(Suresh Krishnan; former steering group member) No Objection
RFC4419 specifies an example in Appendix A that uses a 1024 bit safe prime. Shouldn't this Appendix be updated by the draft as well?
(Terry Manderson; former steering group member) No Objection