Re: des-cbc cipher

[Markus Friedl <markus%openbsd.org@localhost>]

On Thu, Nov 29, 2001 at 10:14:03AM -0500, RJ Atkinson wrote:
> At 03:43 29/11/01, Markus Friedl wrote:
> >However, if you need to have DES-CBC, write a document,
> >use "des-cbc%inet.org@localhost" and everything will be fine.
> 
>         Regrettably, that doesn't help at all -- because it doesn't document
> how to implement such that one can interoperate with the installed base 
> of DES-CBC implementations of SSHv2.  There are multiple such 
> implementations and an installed base of users.

but these implementations violate the drafts if they
use "des-cbc". they must use "des-cbc@domain".

if i add some cipher to openssh without a "@", will
the working group add the cipher to the drafts?

i don't think so.

>         I'd REALLY prefer to resolve this in the WG.  I've tried to
> propose several forms of packaging that would both let the technical
> detail get documented and also let folks who have passion against
> DES-CBC document their issues/concerns/recommendations and also make
> it crystal clear that DES-CBC isn't something an implementation is
> expected to support.  If we can't resolve this issue here, then an appeal 
> is likely -- which will necessarily delay the documents substantially 
> (delay being explicitly NOT my objective).  Sigh.

i don't think it's the job of the WG to add a specification
just because some broken implemenations violate the draft.

the drafts should not try to describe all existing implemenations
and their bugs. or am i missing something?

-m