Re: retrying keyex (was: Re: Why SFTP performance sucks, and how to fix it)

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Jul 16, 2003 at 03:23:24PM -0400, Joel N. Weber II wrote:
> > BTW, this would apply to GSS-API keyex with SPKM as well.
> 
> What does SPKM do that GSI and x509v3-sign-rsa/x509v3-sign-dss don't?

Nothing.  That's the point.  By the time that the SPKM initiator
(client) finds out what the acceptor's (server's) certificate is the
client and server have committed to doing SSHv2 GSS-API kex w/ SPKM and
CAN'T fallback on another kex method should the acceptor's cert not be
good enough for the client.

I was pointing out more scenarios in which the inability to re-try kex
could be obnoxious.

> If we want to discuss another GSSAPI mechanism that might possibly be
> worth supporting in the future, SRP might be more interesting to
> discuss.

Not in this WG.

Cheers,

Nico
--