I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready. This document describes how to implement key exchange based on Elliptic Curve Curve25519 (with SHA256) and Curve448 (with SHA512) in SSH. Note: the curve25519-sha256 key exchange is similar to the "curve25519-sha256@libssh.org" key exchange method implemented in libssh and OpenSSH. One thought: I am not cryptographer enough to give a proper recommendation as to the suitability of Curve448 with SHA-512. The reviews state that they would be similar, but with Curve448 not having received the same amount of cryptographic review. I am a bit cautious on assuming it would be good fallback in case Curve25519 would be considered weakened by cryptographic advances. Surely extending the hash to 512 can be helpful, but as both Curve448 and Curve25519 seem to rely on similar principles, the advances that might weaken 25519 might sooner or later also impact 448. Considering that 448 has not had so many reviews, I am not sure whether it is helpful to add it as a fallback. In case of new advances, 448 would have to be reviewed more closely before a general fallback would be recommended. This is only my personal view with limited background in cryptography. However, equally, it might be prudent to add 448 in this document now as it is and then schedule the deeper review once new breakthroughs are being discovered that weaken 25519. One minor spelling nits: section 5: ...but it is provided as an hedge/ but it is provided as a hedge Overall the draft is ready to go. Best regards, Tobias