Re: retrying keyex (was: Re: Why SFTP performance sucks, and how to fix it)

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Jul 09, 2003 at 08:12:52PM -0400, Joel N. Weber II wrote:
> The case I was thinking of, though, is the case where the client
> decides it doesn't trust the certificate presented by the server, and
> that it wants to try another method.  For example, a common problem is
> that your average web browser doesn't recognize the X.509 CA that
> issues certificates for most HTTPS web servers in the mit.edu domain.
> And with OpenPGP, everyone has their own set of trust values, and
> there's no chance you could ever predict whether a client will trust a
> host key without feeding the client the host key and asking whether it
> trusts it.
> 
> Since the host key is sent in the last message of the public key key
> exchange algorithms, the client doesn't realize that it doesn't trust
> the key until key exchange would appear to have finished judging from
> the messages being passed back and forth.

BTW, this would apply to GSS-API keyex with SPKM as well.

I think the problem can be fixed without revving the protocol version,
but it wouldn't be pretty (I imagine using a bogus alg name to indicate
support for retriable keyex).  If has to be pretty then the protocol
will have to be revved.  Either way the fix will have to wait.

Cheers,

Nico
--