From owner-freebsd-security Mon Nov 27 6:56:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from citi.umich.edu (citi.umich.edu [141.211.92.141]) by hub.freebsd.org (Postfix) with ESMTP id B492637B479; Mon, 27 Nov 2000 06:56:55 -0800 (PST) Received: from citi.umich.edu (ssh-mapper.citi.umich.edu [141.211.92.147]) by citi.umich.edu (Postfix) with ESMTP id 07C53207C1; Mon, 27 Nov 2000 09:56:55 -0500 (EST) Subject: Re: OpenSSH 2.3.0 pre-upgrade From: Niels Provos In-Reply-To: "Jeroen C. van Gelderen", Sun, 26 Nov 2000 18:57:16 -0400 To: "Jeroen C. van Gelderen" Cc: Kris Kennaway , "Brian F. Feldman" , security@FreeBSD.ORG Date: Mon, 27 Nov 2000 09:56:55 -0500 Message-Id: <20001127145655.07C53207C1@citi.umich.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3A21954C.F9E9D25F@vangelderen.org>, "Jeroen C. van Gelderen" writes : >Or at a more basic level: Are cooked primes a problem in >this setting?[1] If not, you want to mention this as a >non-issue in the "Security Considerations" section. If >cooked primes are indeed a problem the protocol needs to >be enhanced to counter them. Either way, the draft needs >a couple of extra words IMHO. That is not an issue. You need to trust the server anyway. If you have any helpful wording that could be added to the draft, I will be more than happy to include it. >Anyway, my assumption that dh-group-exchange is non-standard >still holds as far as I can see so I'd still recommend not >enabling this feature by default for now. There are a couple of implementations besides OpenSSH that support it. Of course, you could still disable it, but you should think about it carefully. >What steps have to taken to have this standardized? Is this >proposal being considered by the IETF secsh working group? We are working on it, it takes time though. Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message